December Network OS. Administrator s Guide. Supporting Network OS v2.0

Transcription

1 07 December 2010 Network OS Administrator s Guide Supporting Network OS v2.0

2 Copyright 2010 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCFM, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, and VCS are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned are or may be trademarks or service marks of their respective owners. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government. The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it. The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit Brocade Communications Systems, Incorporated Corporate and Latin American Headquarters Brocade Communications Systems, Inc. 130 Holger Way San Jose, CA Tel: Fax: info@brocade.com European Headquarters Brocade Communications Switzerland Sàrl Centre Swissair Tour B - 4ème étage 29, Route de l'aéroport Case Postale 105 CH-1215 Genève 15 Switzerland Tel: Fax: emea-info@brocade.com Asia-Pacific Headquarters Brocade Communications Systems China HK, Ltd. No. 1 Guanghua Road Chao Yang District Units 2718 and 2818 Beijing , China Tel: Fax: china-info@brocade.com Asia-Pacific Headquarters Brocade Communications Systems Co., Ltd. (Shenzhen WFOE) Citic Plaza No. 233 Tian He Road North Unit th Floor Guangzhou, China Tel: Fax: china-info@brocade.com Document History Title Publication number Summary of changes Date Network OS Administrator s Guide New document December 2010

3 Contents About This Document In this chapter xviii How this document is organized xviii Supported hardware and software xix What s new in this document xix Document conventions xx Text formatting xx Command syntax conventions xx Command examples xxi Notes, cautions, and warnings xxi Key terms xxi Notice to the reader xxi Additional information xxii Brocade resources xxii Other industry resources xxii Getting technical help xxii Document feedback xxiii Chapter 1 Chapter 2 Introduction to Network OS and VCS Technology In this chapter Introduction to Brocade Network OS VCS terminology Introduction to VCS technology Ethernet fabric Distributed intelligence Logical chassis Ethernet fabric formation VCS technology use cases Classic Ethernet Access and Aggregation use case Large scale server virtualization use case Using the Network OS CLI In this chapter Brocade Network OS Administrator s Guide ii

4 DCB command line interface Saving your configuration changes Network OS CLI RBAC permissions Default roles Accessing the Network OS CLI through Telnet Network OS CLI command modes Network OS CLI keyboard shortcuts Using the do command as a shortcut Displaying Network OS CLI commands and command syntax.15 Network OS CLI command completion Network OS CLI command output modifiers Chapter 3 Chapter 4 Basic Switch Management In this chapter Connecting to the switch Connecting through a Telnet or SSH session Setting switch attributes Setting and displaying the host name Setting and displaying the chassis name Disabling and enabling a chassis Rebooting a Brocade switch Configuring the Ethernet management interface Configuring a static IPv4 Ethernet address Configuring an IPv4 address with DHCP Configuring a static IPv6 Ethernet address Stateless IPv6 autoconfiguration Setting IPv6 autoconfiguration Displaying the network interface Configuring the management interface speed Configuring Inband Management interfaces Provisioning an Inband Management interface Capturing support data Uploading supportsave data to an external host Saving supportsave data to an attached USB device Additional suppportsave configuration commands Setting up a syslog server Adding a syslog server Removing a syslog server Configuring the RASlog console Displaying the RASlog messages Setting the RASlog severity filter Clearing the RASlog Network Time Protocol In this chapter iii Brocade Network OS Administrator s Guide

5 Time settings Synchronizing the local time with an external source Removing an NTP server IP address Displaying an NTP server IP address Time zone settings Setting the clock Setting the time zone Removing the time zone setting Displaying the current local clock and timezone Chapter 5 Chapter 6 Configuration Management In this chapter Switch configuration overview Flash file management Listing the contents of the flash memory Deleting a file from the flash memory Renaming a file Viewing the contents of a file in the flash memory Configuration file types Default configuration Startup configuration Running configuration Saving configuration changes Saving the running configuration Saving the running configuration to a file Applying previously saved configuration changes Configuration backup Uploading the startup configuration to an external host Backing up the startup configuration to an attached USB device Configuration restoration Restoring a previous startup configuration from backup Restoring the default configuration Configuration management in VCS mode Downloading a configuration to multiple switches Installing and Maintaining Firmware In this chapter Firmware upgrade overview Before you begin Getting the switch firmware version Obtaining and decompressing firmware Downloading the firmware from a remote server Downloading firmware from a USB device Brocade Network OS Administrator s Guide iv

6 Evaluating a firmware upgrade Downloading firmware to a single partition Committing the firmware upgrade Restoring the previous firmware version Firmware upgrade in VCS mode Chapter 7 Chapter 8 Administering Licenses In this chapter Licensing overview Permanent licenses Temporary licenses Individual time-based licenses Universal time-based licenses License expiration Extending a license Usage restrictions Managing licenses Displaying the switch license ID Obtaining a license key Installing a license Removing a license Dynamic Ports on Demand Automatic POD port assignments Mapping port assignments to a POD port set Activating the Dynamic POD feature Displaying the Dynamic POD assignments Overriding Dynamic POD assignments Security In this chapter Role management Default roles Adding or changing a role Deleting a role Displaying a role User management User attributes Adding a user Changing a user Deleting a user Displaying a user Unlocking a user account v Brocade Network OS Administrator s Guide

7 Role-based access control Rule management Default roles Rules processing Adding a rule Changing a rule Deleting a rule Displaying a rule Role management for network security administration Role management for FCoE administration RADIUS Authentication and accounting Authorization Account password changes RADIUS server parameters Adding a RADIUS server Changing a RADIUS server Displaying a RADIUS server Deleting a RADIUS server TACACS TACACS+ server parameters Adding a TACACS+ server Changing a TACACS+ server Displaying a TACACS+ server Deleting a TACACS+ server Login authentication Conditions for conformance Authentication limitations Setting the authentication mode Displaying the authentication mode Setting the authentication mode to the default Passwords Password account lockout Password interaction with external servers Setting password attributes Default password attributes Displaying password attributes Chapter 9 SNMP In this chapter SNMP community strings Adding an SNMP community string Removing an SNMP community string Changing the access of a read-only community string to read-write Displaying the SNMP community strings Brocade Network OS Administrator s Guide vi

8 SNMP server hosts Setting the SNMP server host Setting the SNMP server contact Setting the SNMP server location Displaying SNMP configurations Chapter 10 Chapter 11 Chapter 12 Fabric In this chapter TRILL VCS fabric formation How RBridges work Neighbor discovery Brocade trunks Fabric formation Fabric routing protocol VCS fabric configuration VCS fabric configuration tasks Fabric ISL configuration Fabric trunks Broadcast, unknown unicast, and multicast forwarding Priorities Displaying the running configuration Configuring AMPP In this chapter AMPP overview Configuring AMPP port-profiles Life of a port-profile Configuring a new port-profile Configuring VLAN profiles Configuring FCoE profiles Configuring QoS profiles Configuring security profiles Deleting a port-profile Monitoring AMPP profiles Configuring FCoE Interfaces In this chapter FCoE overview FCoE terminology End-to-end FCoE FCoE operations FCoE end-to-end forwarding vii Brocade Network OS Administrator s Guide

9 Layer 2 Ethernet overview Layer 2 forwarding VLAN tagging Frame classification (incoming) Congestion control and queuing Access control Trunking Flow control FCoE Initialization Protocol FIP discovery FIP login FIP logout Name server Registered State Change Notification FCoE queuing Configuring FCoE interfaces Assigning an FCoE map onto an interface Chapter 13 Configuring VLANs In this chapter VLAN overview Ingress VLAN filtering VLAN configuration guidelines and restrictions Default VLAN configuration VLAN configuration and management Enabling and disabling an interface port Configuring the MTU on an interface port Creating a VLAN interface Enabling STP on a VLAN Disabling STP on a VLAN Configuring an interface port as a Layer 2 switch port Configuring an interface port as an access interface Configuring an interface port as a trunk interface Disabling a VLAN on a trunk interface Configuring protocol-based VLAN classifier rules Configuring a VLAN classifier rule Configuring MAC address-based VLAN classifier rules Deleting a VLAN classifier rule Creating a VLAN classifier group and adding rules Activating a VLAN classifier group with an interface port Clearing VLAN counter statistics Displaying VLAN information Configuring the MAC address table Specifying or disabling the aging time for MAC addresses Adding static addresses to the MAC address table Brocade Network OS Administrator s Guide viii

10 Chapter 14 Configuring STP, RSTP, MSTP, and PVST In this chapter STP overview Configuring STP RSTP overview MSTP overview Configuring MSTP Overview of Rapid PVST Configuration guidelines and restrictions Default Spanning Tree configuration Spanning Tree configuration and management Enabling STP, RSTP, MSTP, or PVST Disabling STP, RSTP, or MSTP Shutting down STP, RSTP, or MSTP globally Specifying the bridge priority Specifying the bridge forward delay Specifying the bridge maximum aging time Enabling the error disable timeout timer Specifying the error disable timeout interval Specifying the port-channel path cost Specifying the bridge hello time Specifying the transmit hold count (RSTP and MSTP) Enabling Cisco interoperability (MSTP) Disabling Cisco interoperability (MSTP) Mapping a VLAN to an MSTP instance Specifying the maximum number of hops for a BPDU (MSTP)145 Specifying a name for an MSTP region Specifying a revision number for an MSTP configuration Flushing MAC addresses (RSTP and MSTP) Clearing spanning tree counters Clearing spanning tree-detected protocols Displaying STP-related information Configuring STP, RSTP, or MSTP on DCB interface ports Enabling automatic edge detection Configuring the path cost Enabling a port (interface) as an edge port Enabling the guard root Specifying the MSTP hello time Specifying restrictions for an MSTP instance Specifying a link type Enabling port fast (STP) Specifying the port priority Restricting the port from becoming a root port Restricting the topology change notification Enabling spanning tree Disabling spanning tree ix Brocade Network OS Administrator s Guide

11 Chapter 15 Chapter 16 Chapter 17 Configuring Link Aggregation In this chapter Link aggregation overview Link Aggregation Group configuration Link Aggregation Control Protocol Dynamic link aggregation Static link aggregation Brocade-proprietary aggregation LAG distribution process Virtual LAG overview Configuring the vlag LACP configuration guidelines and restrictions Default LACP configuration LACP configuration and management Enabling LACP on a DCB interface Configuring the LACP system priority Configuring the LACP timeout period on a DCB interface Clearing LACP counter statistics on a LAG Clearing LACP counter statistics on all LAG groups Displaying LACP information LACP troubleshooting tips Configuring LLDP In this chapter LLDP overview Layer 2 topology mapping DCBX overview Enhanced Transmission Selection Priority Flow Control DCBX interaction with other vendor devices LLDP configuration guidelines and restrictions Default LLDP configuration LLDP configuration and management Enabling LLDP globally Disabling and resetting LLDP globally Configuring LLDP global command options Configuring LLDP interface-level command options Clearing LLDP-related information Displaying LLDP-related information Configuring ACLs In this chapter ACL overview Brocade Network OS Administrator s Guide x

12 Default ACL configuration ACL configuration guidelines and restrictions ACL configuration and management Creating a standard MAC ACL and adding rules Creating an extended MAC ACL and adding rules Modifying MAC ACL rules Removing a MAC ACL Reordering the sequence numbers in a MAC ACL Applying a MAC ACL to a DCB interface Applying a MAC ACL to a VLAN interface Chapter 18 Chapter 19 Configuring QoS In this chapter Standalone QoS Rewriting Queueing User-priority mapping Traffic class mapping Congestion control Tail drop Ethernet pause Ethernet Priority Flow Control Multicast rate limiting Creating a receive queue multicast rate-limit Scheduling Strict priority scheduling Deficit weighted round robin scheduling Traffic class scheduling policy Multicast queue scheduling Data Center Bridging map configuration Creating a CEE map Defining a priority group table Defining a priority-table map Applying a CEE provisioning map to an interface Verifying the CEE maps VCS fabric QoS Configuring VCS fabric QoS Configuring 802.1x Port Authentication In this chapter x protocol overview x configuration guidelines and restrictions x authentication configuration tasks Configuring authentication between the switch and CNA or NIC xi Brocade Network OS Administrator s Guide

13 Interface-specific administrative tasks for 802.1x Configuring 802.1x on specific interface ports Configuring 802.1x timeouts on specific interface ports Configuring 802.1x re-authentication on specific interface ports Configuring 802.1x port-control on specific interface ports..202 Re-authenticating specific interface ports Disabling 802.1x on specific interface ports Disabling 802.1x globally Checking 802.1x configurations Chapter 20 Chapter 21 Chapter 22 Chapter 23 Configuring sflow using the CEE CLI In this chapter sflow protocol overview Interface flow samples Packet counter samples Configuring the sflow protocol globally Interface-specific administrative tasks for sflow Enabling and customizing sflow on specific interfaces Disabling sflow on specific interfaces Configuring Switched Port Analyzer In this chapter Switched Port Analyzer protocol overview SPAN limitations Configuring ingress SPAN Configuring egress SPAN Configuring bidirectional SPAN Deleting a SPAN connection from a session Deleting a SPAN session Configuring RMON In this chapter RMON overview RMON configuration and management Default RMON configuration Configuring RMON events Configuring RMON Ethernet group statistics collection Configuring RMON alarm settings Configuring IGMP In this chapter Brocade Network OS Administrator s Guide xii

14 IGMP overview Active IGMP snooping Multicast routing Configuring IGMP Configuring IGMP snooping querier Monitoring IGMP Index xiii Brocade Network OS Administrator s Guide

15 Figures Figure 1 Comparison of classic Ethernet and VCS architectures Figure 2 Ethernet fabric with Layer 2 multiple paths Figure 3 Distributed intelligence in an Ethernet fabric Figure 4 Logical chassis in Ethernet fabric Figure 5 Pair of Brocade VDX 6720 switches at the top of each server rack Figure 6 Collapsed, flat Layer 2 networks enabling Virtual Machine mobility Figure 7 Network OS CLI command mode hierarchy Figure 8 A management station communicating with the CP Figure 9 Port-profile contents Figure 10 FCoE end-to-end header process Figure 11 Multiple switch fabric configuration Figure 12 Ingress VLAN filtering Figure 13 Queue depth Figure 14 Strict priority schedule two queues Figure 15 WRR schedule two queues Figure 16 Strict priority and Weighted Round Robin scheduler Brocade Network OS Administrator s Guide xiv

16 xv Brocade Network OS Administrator s Guide

17 Tables Table 1 Trademark references xxii Table 2 Network OS CLI command modes Table 3 Network OS CLI keyboard shortcuts Table 4 Network OS CLI command output modifiers Table 5 Standard switch configuration files Table 6 Brocade licenses for optional Network OS features Table 7 List of available ports when implementing PODs Table 8 VCS fabric configuration task examples Table 9 AMPP behavior and failure descriptions Table 10 FCoE terminology Table 11 Default VLAN configuration Table 12 STP versus RSTP state comparison Table 13 Default Spanning Tree configuration Table 14 Default MSTP configuration Table 15 Default 10-Gigabit Ethernet DCB interface-specific configuration Table 16 Default LACP configuration Table 17 ETS priority grouping of IPC, LAN, and SAN traffic Table 18 Default LLDP configuration Table 19 Default MAC ACL configuration Table 20 Default priority value of untrusted interfaces Table 21 IEEE 802.1Q default priority mapping Table 22 Default user priority for unicast traffic class mapping Table 23 Default user priority for multicast traffic class mapping Table 24 Supported scheduling configurations Table 25 Default DCB Priority Group Table configuration Table 26 Default DCB priority table Brocade Network OS Administrator s Guide xvi

18 xvii Brocade Network OS Administrator s Guide

19 About This Document In this chapter How this document is organized xviii Supported hardware and software xix What s new in this document xix Document conventions xx Notice to the reader xxi Additional information xxii Getting technical help xxii Document feedback xxiii How this document is organized This document is organized to help you find the information that you want as quickly and easily as possible. The document contains the following components: Chapter 1, Introduction to Network OS and VCS Technology, provides an overview of Network OS features, including VCS technology. Chapter 2, Using the Network OS CLI, describes the Data Center Bridging (DCB) command line interface. Chapter 3, Basic Switch Management, provides typical connection and configuration procedures. Chapter 4, Network Time Protocol, describes how to set the time and time zone on the switch. Chapter 5, Configuration Management, provides procedures for maintaining and backing up your switch configurations. Chapter 6, Installing and Maintaining Firmware, provides preparations and procedures for performing firmware downloads. Chapter 7, Administering Licenses, provides information about Brocade licenses. Chapter 8, Security, describes role-based access control and provides procedures for managing roles and user accounts. Chapter 9, SNMP, provides procedures for setting community strings and other SNMP configurations. Chapter 10, Fabric, describes how Brocade VCS TM technology is used to create Ethernet fabrics and provides procedures for configuring fabric parameters. Brocade Network OS Administrator s Guide xviii

20 Chapter 11, Configuring AMPP, provides procedures for configuring the Auto Migrating Port Profile (AMPP) profiles. Chapter 12, Configuring FCoE Interfaces, provides procedures for configuring Fibre Channel over Ethernet (FCoE) interfaces. Chapter 13, Configuring VLANs, provides procedures for configuring Virtual LANs. Chapter 14, Configuring STP, RSTP, MSTP, and PVST, provides procedures for configuring the Spanning Tree Protocol (STP), Rapid STP (RSTP), Multiple STP (MSTP), and Per-VLAN Spanning Tree (PVST). Chapter 15, Configuring Link Aggregation, provides procedures for configuring Link Aggregation and Link Aggregation Control Protocol (LACP). Chapter 16, Configuring LLDP, provides procedures for configuring the Link Layer Discovery Protocol (LLDP) and the DCB Capability Exchange Protocol (DCBX). Chapter 17, Configuring ACLs, provides procedures for configuring Access Control Lists (ACLs). Chapter 18, Configuring QoS, provides procedures for configuring Quality of Service (QoS). Chapter 19, Configuring 802.1x Port Authentication, provides procedures for configuring the 802.1x Port Authentication protocol. Chapter 20, Configuring sflow using the CEE CLI, provides procedures for configuring sflow. Chapter 21, Configuring Switched Port Analyzer, provides procedures for configuring Switched Port Analyzer (SPAN). Chapter 22, Configuring RMON, provides procedures for configuring remote monitoring (RMON). Chapter 23, Configuring IGMP, provides procedures for configuring IGMP snooping. Supported hardware and software In those instances in which procedures or parts of procedures documented here apply to some switches but not to others, this guide identifies exactly which switches are supported and which are not. Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc. for Network OS 2.0.0, documenting all possible configurations and scenarios is beyond the scope of this document. The following hardware platforms are supported by this release of Network OS: Brocade VDX Brocade VDX Brocade VDX What s new in this document This is a new document. xix Brocade Network OS Administrator s Guide

21 Document conventions This section describes text formatting conventions and important notice formats used in this document. Text formatting The narrative-text formatting conventions that are used are as follows: bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies paths and Internet addresses Identifies document titles code text Identifies CLI output Identifies command syntax examples For readability, command names in the narrative portions of this guide are presented in mixed lettercase: for example, switchshow. In actual examples, command lettercase is all lowercase. Command syntax conventions Command syntax in this manual follows these conventions: Convention Description [ ] Keywords or arguments that appear within square brackets are optional. { x y z } A choice of required keywords appears in braces separated by vertical bars. You must select one. screen font Examples of information displayed on the screen. < > Nonprinting characters, for example, passwords, appear in angle brackets. [ ] Default responses to system prompts appear in square brackets. italic text bold text Identifies variables. Identifies literal command options. NOTE In standalone mode, interfaces are identified using slot/port notation. In VCS mode, interfaces are identified using switch/slot/port notation. Brocade Network OS Administrator s Guide xx

22 Command examples This book describes how to perform configuration tasks using the Network OS command line interface, but does not describe the commands in detail. For complete descriptions of all Network OS commands, including syntax, operand description, and sample output, see the Network OS Command Reference. Notes, cautions, and warnings The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards. NOTE A note provides a tip, guidance, or advice, emphasizes important information, or provides a reference to related information. ATTENTION An Attention statement indicates potential damage to hardware or data. CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations. Key terms For definitions specific to Brocade and Fibre Channel, see the technical glossaries on MyBrocade. See Brocade resources on page xxii for instructions on accessing MyBrocade. For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at: Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations. These references are made for informational purposes only. xxi Brocade Network OS Administrator s Guide

23 TABLE 1 Corporation Trademark references Referenced Trademarks and Products Microsoft Corporation Oracle Corporation Red Hat, Inc. Windows, Windows NT, Internet Explorer Oracle, Java Red Hat, Red Hat Network, Maximum RPM, Linux Undercover Additional information This section lists additional Brocade and industry-specific documentation that you might find helpful. Brocade resources To get up-to-the-minute information, go to to register at no cost for a user ID and password. White papers, online demonstrations, and data sheets are available through the Brocade website at: For additional Brocade documentation, visit the Brocade website: Release notes are available on the MyBrocade website. Other industry resources For additional resource information, visit the Technical Committee T11 website. This website provides interface standards for high-performance and mass storage applications for Fibre Channel, storage management, and other applications: For information about the Fibre Channel industry, visit the Fibre Channel Industry Association website: Getting technical help Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available: 1. General Information Switch model Switch operating system version Brocade Network OS Administrator s Guide xxii

24 Software name and software version, if applicable Error numbers and messages received Detailed description of the problem, including the switch or fabric behavior immediately following the problem, and specific questions Description of any troubleshooting steps already performed and the results Serial console and Telnet session logs syslog message logs 2. Switch Serial Number The switch serial number and corresponding bar code are provided on the serial number label, as illustrated below: *FT00X0054E9* FT00X0054E9 The serial number label is located as follows: Brocade VDX 6720 On the switch ID pull-out tab located on the bottom of the port side of the switch Document feedback Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. Forward your feedback to: documentation@brocade.com Provide the title and version number of the document and as much detail as possible about your comment, including the topic heading and page number and your suggestions for improvement. xxiii Brocade Network OS Administrator s Guide

25 Introduction to Network OS and VCS Technology Chapter 1 In this chapter Introduction to Brocade Network OS Introduction to VCS technology VCS technology use cases Introduction to Brocade Network OS Brocade Network OS (NOS) is a scalable network operating system available for the Brocade data center switching portfolio products, including the VDX product line. Purposely built for mission-critical, next generation data centers, Network OS supports the following capabilities: Simplified network management Brocade VCS TM technology, a fabric-based Layer 2 Ethernet technology that includes virtual cluster switching, simplifies network management in next-generation virtualized data centers with auto-provisioning and self-healing capabilities. Refer to Introduction to VCS technology on page 2 for an overview and Chapter 10, Fabric, for detailed information on VCS technology. High resiliency VCS-based distributed computer service improves network resiliency using proven link state routing. Improved network utilization Transparent Interconnection of Lots of Links (TRILL)-based Layer 2 routing service provides equal-cost multipaths in the network, resulting in improved network utilitzation. Refer to TRILL on page 89 for additional information about TRILL. Server virtualization Automatic Migration of Port Profile (AMPP) functionality provides fabric-wide configuration of Ethernet policies, achieves per-port profile forwarding, and enables network-level features to support Virtual Machine (VM) mobility. Refer to Configuring AMPP on page 97 for more information about AMPP. Network convergence Data Center Bridging (DCB)-based lossless Ethernet service provides isolation between IP and storage traffic over a unified network infrastructure. Multi-hop Fibre Channel over Ethernet (FCoE) allows an FCoE initiator to communicate with an FCoE target that is a number of hops away. Refer to End-to-end FCoE on page 108 for more information about multi-hop FCoE. Brocade Network OS Administrator s Guide 1

26 1 Introduction to VCS technology In Network OS, all features are configured through a single, industry-standard command line interface (CLI). Refer to the Network OS Command Reference for an alphabetical listing and detailed description of all the Network OS commands. VCS terminology The following terms are used in this document. Edge ports Ethernet fabric Fabric ports Interswitch link (ISL) RBridge RBridge ID VCS ID WWN In an Ethernet fabric, all switch ports used to connect external equipment, including end stations, switches, and routers. A group of connected Ethernet switches exchanging information among each other to implement distributed intelligence. The ports on either end of an interswitch link (ISL) in an Ethernet fabric. An interface connected between switches in an Ethernet fabric. The ports on either end of the interface are called ISL ports or Fabric ports. The ISL can be a single link or a Brocade-proprietary hardware-based trunk. A physical switch in an Ethernet fabric. A unique identifier for an RBridge. In commands, the RBridge ID is used in referencing all interfaces in the Ethernet fabric. Refer to VCS fabric configuration on page 92 for information about setting the RBridge ID. A unique identifier for an Ethernet fabric. The factory default VCS ID is 1. All switches in an Ethernet fabric must have the same VCS ID. World Wide Name. A globally unique ID that is burned into the switch at the factory. Introduction to VCS technology Brocade VCS technology is a Layer 2 Ethernet technology that allows you to create flatter, virtualized, and converged data center networks. VCS technology is scalable, permitting you to expand your network at your own pace. VCS technology comprises the following concepts: Ethernet fabric Distributed intelligence Logical chassis When two or more VCS mode-enabled switches are connected together, they form an Ethernet fabric and exchange information among each other to implement distributed intelligence. To the rest of the network, the Ethernet fabric appears as a single logical chassis. Figure 1 shows an example of a data center with a classic hierarchical Ethernet architecture and the same data center with a VCS architecture. The VCS architecture combines the Access and Aggregation layers and is easily scalable as you add more server racks. 2 Brocade Network OS Administrator s Guide

27 Introduction to VCS technology 1 Classic Hierarchical Ethernet Architecture Brocade VCS Architecture Access Aggregation Edge Core Core Scalability Servers with 10 Gbps Connections Servers with 10 Gbps Connections FIGURE 1 Comparison of classic Ethernet and VCS architectures Ethernet fabric When you connect two or more VCS mode-enabled switches, they form an Ethernet fabric, as shown in Figure 2. Brocade Network OS Administrator s Guide 3

28 1 Introduction to VCS technology Active Path #1 Source FIGURE 2 Active Path #2 Destination Ethernet fabric with Layer 2 multiple paths The Ethernet fabric has the following characteristics: It is a switched network. The Ethernet fabric utilizes an emerging standard called Transparent Interconnection of Lots of Links (TRILL) as the underlying technology. Fabric members and devices connected always know about each other. All paths in the fabric are available. Traffic is always distributed across equal-cost paths. As shown in Figure 2, traffic from the source to the destination can travel across two paths. Traffic travels across the shortest path. If a single link fails, traffic is automatically rerouted to other available paths. In Figure 2, if one of the links in Active Path #1 goes down, traffic is seamlessly rerouted across Active Path #2. Spanning Tree Protocol (STP) is not necessary because the Ethernet fabric appears as a single logical switch to connected servers, devices, and the rest of the network. Traffic can be switched from one Ethernet fabric to the other Ethernet fabric. Distributed intelligence With VCS technology, all relevant information is automatically distributed to each member switch to provide unified fabric functionality, as shown in Figure 3 on page 5. For example, when a server connects to the fabric for the first time, all switches in the fabric learn about that server. In this way, fabric switches can be added or removed and physical or virtual servers can be relocated without the fabric requiring manual reconfiguration. 4 Brocade Network OS Administrator s Guide

29 Introduction to VCS technology 1 i i i i i i i FIGURE 3 Distributed intelligence in an Ethernet fabric Distributed intelligence has the following characteristics: The fabric is self-forming. When two VCS mode-enabled switches are connected, the fabric is automatically created and the switches discover the common fabric configuration. The fabric is masterless. No single switch stores configuration information or controls fabric operations. Any switch can fail or be removed without causing disruptive fabric downtime or delayed traffic. The fabric is aware of all members, devices, and Virtual Machines (VMs). If the VM moves from one VCS port to another VCS port in the same fabric, the port-profile is automatically moved to the new port. Logical chassis All switches in an Ethernet fabric are managed as if they were a single logical chassis. To the rest of the network, the fabric looks no different than any other Layer 2 switch. Figure 4 shows an Ethernet fabric with two switches. The rest of the network is aware of only the edge ports in the fabric, and is unaware of the connections within the fabric. Brocade Network OS Administrator s Guide 5

30 1 Introduction to VCS technology External non-vcs Switch External non-vcs Switch Server Server Physical View Logical View Edge Ports Fabric Ports FIGURE 4 Logical chassis in Ethernet fabric Each physical switch in the fabric is managed as if it were a blade in a chassis. When a VCS mode-enabled switch is connected to the fabric, it inherits the configuration of the fabric and the new ports become available immediately. Ethernet fabric formation VCS fabric protocols are designed to aid the formation of an Ethernet fabric with minimal user configuration. Refer to VCS fabric formation on page 90 for detailed information about the Ethernet fabric formation process. All supported switches are shipped with VCS mode enabled. Refer to VCS fabric configuration on page 92 for information about disabling and enabling VCS mode on your switches. 6 Brocade Network OS Administrator s Guide

31 VCS technology use cases 1 Automatic neighbor discovery When you connect a switch to a VCS mode-enabled switch, the VCS mode-enabled switch determines if the neighbor also has VCS mode enabled. If the switch has VCS mode enabled and the VCS IDs match, the switch joins the Ethernet fabric. Refer to VCS fabric configuration on page 92 for information about changing the VCS ID. Automatic ISL formation and hardware-based trunking When a switch joins an Ethernet fabric, ISLs automatically form between directly connected switches within the fabric. If more than one ISL exists between two switches, then Brocade ISL trunks might automatically form. All ISLs connected to the same neighboring Brocade switch attempt to form a trunk. The trunks are formed only when the ports belong to the same port group. No user intervention is necessary to form these trunks. Refer to Fabric ISL configuration on page 93 for information about enabling and disabling ISLs and trunks. Principal RBridge election The RBridge with the lowest WWN in the Ethernet fabric is elected as the principal RBridge. The role of the principal RBridge is to decide whether a new RBridge joining the fabric conflicts with any of the RBridge IDs already present in the fabric. If a conflict arises, the principal RBridge keeps the joining RBridge segmented. Refer to VCS fabric configuration on page 92 for information about setting the RBridge ID. VCS technology use cases This section describes the following use cases for VCS technology: Classic Ethernet Large scale server virtualization Classic Ethernet Access and Aggregation use case VCS can be deployed in the same fashion as existing top-of-rack switches, as shown in Figure 5. In the rightmost two server racks, a two-switch Ethernet fabric replaces the Ethernet switch at the top of each rack. Brocade Network OS Administrator s Guide 7

32 1 VCS technology use cases WAN Existing Data Center Core Switches Aggregation Switches LAG Existing 1 Gbps Access Switches 2-Switch VCS at Top-of-Rack 1 Gbps Servers FIGURE 5 1/10 Gbps Servers Blade Servers Pair of Brocade VDX 6720 switches at the top of each server rack The servers see a single top-of-rack switch, allowing for active/active connections, end-to-end. VCS technology in this use case provides the following advantages: Multiple active-active connections, with increased effective bandwidth Preserves existing architecture Works with existing core and aggregation networking products Co-exists with existing access switches Supports 1 and 10 Gbps server connectivity Works with server racks or blade servers Large scale server virtualization use case Figure 6 shows a logical two-tier architecture with VCS fabrics at the edge. Each VCS fabric appears as a single virtual switch to the switches outside the fabric, which results in flattening the network. 8 Brocade Network OS Administrator s Guide

33 VCS technology use cases 1 WAN Existing Data Center Core Switches VCS Edge Fabrics 1/10 Gbps Servers FIGURE 6 Blade Servers 10 Gbps Servers Blade Servers Collapsed, flat Layer 2 networks enabling Virtual Machine mobility VCS technology in this use case provides the following advantages: Co-exists with existing core and aggregation networking products Optimizes the multipath network (all paths are active, no single point of failure, and STP is not necessary) Increases sphere of Virtual Machine (VM) mobility Brocade Network OS Administrator s Guide 9

34 1 VCS technology use cases 10 Brocade Network OS Administrator s Guide

35 Using the Network OS CLI Chapter 2 In this chapter DCB command line interface DCB command line interface The Brocade Data Center Bridging (DCB) CLI is designed to support the management of DCB and Layer 2 Ethernet switching functionality. The Network OS CLI uses an industry-standard hierarchical shell familiar to Ethernet/IP networking administrators. The system starts up with the default Network OS configuration and the DCB startup configuration. After logging in, you are in the Network OS shell. For information on accessing the DCB commands from the Network OS shell, see Network OS CLI command modes on page 12. Saving your configuration changes Any configuration changes made to the switch are written into the running-config file. This is a dynamic file that is lost when the switch reboots. During the boot sequence, the switch resets all configuration settings to the values in the startup-config file. To make your changes permanent, use the copy command to commit the running-config file to the startup-config file, as shown below. Example of committing the running-config in privileged EXEC mode. switch#copy running-config startup-config Network OS CLI RBAC permissions Role-Based Action Control (RBAC) defines the capabilities that a user account has based on the role the account has been assigned. A role is an entity that defines the access privileges of the user accounts on the switch. A user is associated with one role. Refer to Role management on page 61 for information about RBAC. Default roles Attributes of default roles cannot be modified; however, the default roles can be assigned to non-default user accounts. The following roles are default roles: The admin role has the highest privileges. All CLIs are accessible to the user associated with the admin role. By default, the admin role has read and write access. Brocade Network OS Administrator s Guide 11

36 2 DCB command line interface The user role has limited privileges that are mostly restricted to show commands in the Privileged EXEC mode. User accounts associated with the user role cannot access configuration CLIs that are in the global configuration mode. By default, the user role has read-only access. Accessing the Network OS CLI through Telnet NOTE While this example uses the admin role to log in to the switch, both roles can be used. The procedure to access the Network OS CLI is the same through either the console interface or through a Telnet session; both access methods bring you to the login prompt. switch login: admin Password:********** switch# NOTE Multiple users can Telnet sessions and issue commands using the privileged EXEC mode. Network OS v2.0.0 supports up to 32 Telnet sessions with the admin login. Network OS CLI command modes Figure 7 displays the Network OS CLI command mode hierarchy. FIGURE 7 Network OS CLI command mode hierarchy Privileged EXEC Global configuration FCoE Interface configuration Protocol configuration CEE CLI features Console and VTY (line) configuration Port-profile mode Fabric-map Map Port-channel 10-Gigabit Ethernet VLAN LLDP Spanning-tree CEE map ACLs Console Virtual terminal VLANprofile QoSprofile FCoEprofile Securityprofile Table 2 lists the Network OS CLI command modes and describes how to access them. NOTE Use the pwd command to view the mode of the current working directory. This command functions in global configuration mode and the modes accessed from global configuration mode. 12 Brocade Network OS Administrator s Guide

37 DCB command line interface 2 TABLE 2 Command mode Network OS CLI command modes Prompt How to access the command mode Description Privileged EXEC switch# This is the default mode for the switch. Display and change system parameters. Note that this is the administrative mode and includes the basic configuration commands. Global configuration switch(config)# From the privileged EXEC mode, enter the configure terminal command. Configure features that affect the entire switch. Interface configuration Port-channel: switch(config-port-channel-63)# 10-Gigabit Ethernet (DCB port): switch(conf-if-te-0/1)# VLAN: switch(conf-vlan-1)# From the global configuration mode, specify an interface by entering one of the following commands: interface port-channel interface tengigabitethernet interface vlan Access and configure individual interfaces. Protocol configuration LLDP: switch(conf-lldp)# Spanning-tree: switch(conf-mstp)# switch(conf-rstp)# switch(conf-stp)# switch(conf-pvst)# switch(conf-rpvst)# From the global configuration mode, specify a protocol by entering one of the following commands: protocol lldp protocol spanning-tree mstp protocol spanning-tree rstp protocol spanning-tree stp protocol spanning-tree pvst protocol spanning-tree rapid-pvst Access and configure protocols. FCoE configuration FCoE: switch(config-fcoe)# FCoE fabric-map sub-mode: switch(config-fcoe-fabric-map)# FCoE map sub-mode: switch(config-fcoe-map)# From the global configuration mode, use the fcoe command to enter FCoE configuration mode. From the FCoE configuration mode, specify an FCoE sub-mode by entering one of the following commands: fabric-map default map default Access and configure FCoE features. Brocade Network OS Administrator s Guide 13

38 2 DCB command line interface TABLE 2 Command mode Network OS CLI command modes (Continued) Prompt How to access the command mode Description AMPP port-profile mode AMPP port-profile: switch(conf-port-profile-name)# VLAN-profile sub-mode: switch(conf-vlan-profile)# QoS-profile sub-mode: switch(conf-qos-profile)# FCoE-profile sub-mode: switch(conf-fcoe-profile)# Security-profile sub-mode: switch(conf-security-profile)# From the global configuration mode, enter the port-profile command to enter port-profile configuration mode. From the port-profile configuration mode, specify an AMPP sub-mode by entering one of the following commands: vlan-profile qos-profile fcoe-profile security-profile Access and configure AMPP features. Feature configuration CEE map: switch(config-cee-map-default)# Standard ACL: switch(conf-macl-std)# Extended ACL: switch(conf-macl-ext)# From the global configuration mode, specify a DCB feature by entering one of the following commands: cee-map default mac access-list standard mac access-list extended Access and configure CEE map features. NOTE Pressing Ctrl+Z or entering the end command in any mode returns you to privileged EXEC mode. Entering exit in any mode returns you to the previous mode. 14 Brocade Network OS Administrator s Guide

39 DCB command line interface 2 Network OS CLI keyboard shortcuts Table 3 lists Network OS CLI keyboard shortcuts. TABLE 3 Keystroke Network OS CLI keyboard shortcuts Description Ctrl+B or the left arrow key Ctrl+F or the right arrow key Ctrl+A Ctrl+E Esc B Esc F Ctrl+Z Ctrl+P or the up arrow key Ctrl+N or the down arrow key Moves the cursor back one character. Moves the cursor forward one character. Moves the cursor to the beginning of the command line. Moves the cursor to the end of the command line. Moves the cursor back one word. Moves the cursor forward one word. Returns to privileged EXEC mode. Displays commands in the history buffer with the most recent command displayed first. Displays commands in the history buffer with the most recent command displayed last. NOTE In privileged EXEC mode, use the show history command to list the commands most recently entered. The switch retains the history of the last 1000 commands entered from all terminals. Using the do command as a shortcut You can use the do command to save time when you are working in any configuration mode and you want to run a command in privileged EXEC mode. For example, if you are configuring LLDP and you want to execute a privileged EXEC mode command, such as the dir command, you would first have to exit the LLDP configuration mode. By using the do command with the dir command, you can ignore the need to change configuration modes, as shown in the following example. switch(conf-lldp)#do dir Contents of flash:// -rw-r Wed Feb 4 07:08: startup_rmon_config -rw-r Wed Feb 4 07:10: rmon_config -rw-r Wed Feb 4 07:12: rmon_configuration -rw-r Wed Feb 4 10:48: starup-config Displaying Network OS CLI commands and command syntax Enter a question mark (?) in any command mode to display the list of commands available in that mode. switch(conf-lldp)#? Possible completions: advertise description disable The Advertise TLV configuration. The User description Disable LLDP Brocade Network OS Administrator s Guide 15

40 2 DCB command line interface do exit hello help iscsi-priority mode multiplier no profile pwd system-description system-name top Run an operational-mode command Exit from current mode The Hello Transmit interval. Provide help information Configure the Ethernet priority to advertise for iscsi The LLDP mode. The Timeout Multiplier Negate a command or set its defaults The LLDP Profile table. Display current mode path The System Description. The System Name Exit to top level and optionally run command To display a list of commands that start with the same characters, type the characters followed by the question mark (?). switch#e? Possible completions: exit Exit the management session To display the keywords and arguments associated with a command, enter the keyword followed by the question mark (?). switch#terminal? Possible completions: length Sets Terminal Length for this session monitor Enables terminal monitoring for this session no Sets Terminal Length for this session to default :24. timeout Sets the interval that the EXEC command interpreter wait for user input. If the question mark (?) is typed within an incomplete keyword, and the keyword is the only keyword starting with those characters, the CLI displays help for that keyword only. switch#show d? Possible completions: debug Debug diag Show diag related information dot1x Show dot1x dpod Provides License Information on Pod in fabric If the question mark (?) is typed within an incomplete keyword but the keyword matches several keywords, the CLI displays help for all the matching keywords. switch#show i? interface Interface status and configuration ip Internet Protocol (IP) The Network OS CLI accepts abbreviations for commands. This example is the abbreviation for the show qos interface all command. switch#sh q i a If the switch does not recognize a command after Enter is pressed, an error message displays. switch#hookup ^ syntax error: unknown argument. 16 Brocade Network OS Administrator s Guide

41 DCB command line interface 2 If an incomplete command is entered, an error message displays. switch#show ^ syntax error: unknown argument. Network OS CLI command completion To automatically complete the spelling of commands or keywords, begin typing the command or keyword and then press Tab. For example, at the CLI command prompt, type te and press Tab: switch#te The CLI displays the following command. switch#terminal If there is more than one command or keyword associated with the characters typed, the Network OS CLI displays all choices. For example, at the CLI command prompt, type show l and press Tab: switch#show l The CLI displays the following command. switch#show l Possible completions: lacp license Display license keys installed on the switch. lldp Link Layer Discovery Protocol(LLDP). logging Show logging Network OS CLI command output modifiers You can filter the output of the Network OS CLI show commands using the output modifiers described in Table 4. Use the pipe character ( ) to add these modifiers. TABLE 4 Output modifier Network OS CLI command output modifiers Description redirect include exclude append begin last tee Redirects the command output to the specified file. Displays the command output that includes the specified expression. Displays the command output that excludes the specified expression. Appends the command output to the specified file. Displays the command output that begins with the specified expression. Displays only the last few lines of the command output. Redirects the command output to the specified file. Note that this modifier also displays the command output. Brocade Network OS Administrator s Guide 17

42 2 DCB command line interface 18 Brocade Network OS Administrator s Guide

43 Basic Switch Management Chapter 3 In this chapter Connecting to the switch Connecting to the switch Setting switch attributes Disabling and enabling a chassis Rebooting a Brocade switch Configuring the Ethernet management interface Configuring Inband Management interfaces Capturing support data Setting up a syslog server Configuring the RASlog console You can connect to your switch through a console session on the serial port, or through a Telnet or secure shell (SSH) connection to the management port. You can use any account login present in the local switch database or on a configured authentication authorization accounting (AAA) server for authentication. For initial setup procedures, use the preconfigured administrative account that is part of the default switch configuration. The switch must be physically connected to the network. If the switch network interface is not configured or the switch has been disconnected from the network, use a console session on the serial port. Refer to the Brocade VDX 6720 Hardware Reference Manual for information on connecting through the serial port. Refer to Configuring the Ethernet management interface on page 22 for information on configuring the network interface. Connecting through a Telnet or SSH session 1. Connect through a serial port to the switch. 2. Verify that the switch s network interface is configured and that it is connected to the IP network through the RJ-45 Ethernet port. 3. Log off the switch s serial port. 4. From a management station, open a Telnet or SSH connection using the management IP address of the switch to which you want to connect. For more information on setting the management IP address, refer to Configuring the Ethernet management interface on page 22. Brocade Network OS Administrator s Guide 19

44 3 Setting switch attributes 5. Enter the account user name at the login prompt. 6. Enter the password. Brocade recommends that you change the default account password when you log in for the first time. For more information on changing the default password, refer to the Brocade VDX 6720 Hardware Reference Manual. 7. Verify that the login was successful. The prompt displays the host name followed by a pound sign (#). login as: admin admin@ 's password:****** WARNING: The default password of 'admin' and 'user' accounts have not been changed. Welcome to the Brocade Network Operating System Software admin connected from using ssh on VDX Setting switch attributes A switch can be identified by its IP address, World Wide Name (WWN), switch ID or RBridge ID, or by its host name and chassis name. You can customize the host name and chassis name with the switch-attributes command. A host name can be from 1 through 30 characters long. It must begin with a letter, and can contain letters, numbers, and underscore characters. The default host name is sw0. The host name is displayed at the system prompt. Brocade recommends that you customize the chassis name for each platform. Some system logs identify the switch by its chassis name; if you assign a meaningful chassis name, logs are more useful. A chassis name can be from 1 through 30 characters long, must begin with a letter, and can contain letters, numbers, and underscore characters. The default chassis name is VDX and VDX depending on the switch model. Setting and displaying the host name 1. Issue the configure terminal command to enter the global configuration mode. 2. Enter the switch-attributes command, followed by the switch ID. 3. Enter the host-name operand followed by the host name. 4. Save the configuration changes using the copy running-config startup-config command. switch# configure terminal Entering configuration mode terminal switch(config)# switch-attributes 2 switch(config-switch-attributes-2)# host-name lab1_vdx0023 switch(config-switch-attributes-2)# exit switch(config)# do copy running-config startup-config switch(config)# do show running-config switch-attributes 2 switch-attributes 2 chassis-name VDX host-name lab1_vdx0023! 20 Brocade Network OS Administrator s Guide

45 Disabling and enabling a chassis 3 Setting and displaying the chassis name 1. Issue the configure terminal command to enter the global configuration mode. 2. Enter the switch-attributes command, followed by the switch ID. 3. Enter the chassis-name operand, followed by the chassis name. 4. Save the configuration changes using the copy running-config startup-config command switch# configure terminal Entering configuration mode terminal switch(config)# switch-attributes 2 switch(config-switch-attributes-2)# chassis-name lab1_vdx0023 switch(config)# do copy running-config startup-config switch(config)# do show running-config switch-attributes 2 switch-attributes 2 chassis-name lab1_vdx0023 host-name lab1_vdx0023 Disabling and enabling a chassis By default, the chassis is enabled after power is turned on and diagnostics and switch initialization routines have finished. All interfaces are online. You can disable and re-enable the chassis as necessary. Use the chassis disable command if you want to take most or all interfaces offline. All interfaces on the switch are taken offline. If the switch was part of an Ethernet fabric, the fabric reconfigures. Use the chassis enable command to bring the interfaces back online. All interfaces that passed POST are enabled and come back online. If the switch was part of an Ethernet fabric, it re-joins the fabric. NOTE Disabling the chassis is a disruptive operation. Use the shutdown command to disable or enable a few selected interfaces only. Refer to the Network OS Command Reference for more information on this command. Rebooting a Brocade switch Network OS provides two commands to reboot your system: reload, and fastboot. The reload command performs a cold reboot (power off and restart) of the control processor (CP). The power-on self-test (POST) is run when the system comes back up. The fastboot command performs a cold reboot (power off and restart) of the control processor (CP), bypassing POST when the system comes back up. Bypassing POST can reduce boot time significantly. If POST was previously disabled, then the fastboot command performs the same operation as the reload command. NOTE Both reboot operations are disruptive, and the commands prompt for confirmation before executing. When you reboot a switch connected to a fabric, all traffic to and from that switch stops. All ports on that switch remain inactive until the switch comes back online. Brocade Network OS Administrator s Guide 21

46 3 Configuring the Ethernet management interface Configuring the Ethernet management interface The Ethernet network interface provides management access, including direct access to the Network OS CLI. You must configure at least one IP address using a serial connection to the CLI before you can manage the system with other management interfaces. You can either configure static IP addresses in IPv4 format, or you can use a Dynamic Host Configuration Protocol (DHCP) client to acquire IPv4 addresses automatically. For IPv6 addresses, Network OS v2.0.0 supports both static IPv6 and stateless IPv6 autoconfiguration. Setting static IPv4 addresses and using DHCP are mutually exclusive. If DHCP is enabled, remove the DHCP client before you configure a static IPv4 IP address. Use the no ip address dhcp command to disable DHCP. NOTE You must connect through the serial port to set the IP address if the network interface is not configured already. Refer to the Brocade VDX 6720 Hardware Reference Manual for information on connecting through the serial port. Configuring a static IPv4 Ethernet address Use static Ethernet network interface addresses in environments where the DHCP service is not available. To configure a static IPv4 address, you must first disable DHCP. Refer to Configuring an IPv4 address with DHCP on page 23 for more information. 1. Connect to the switch through the serial console. 2. Issue the configure terminal command to enter the global configuration mode. 3. Enter the interface Management switchid/0 command to configure the management port. There is only one management port on the VDX 6720 switches and the port number is Enter the no dchp command to disable DCHP. 5. Enter the ip address IPv4_address/prefix_length command. 6. Enter the ip gateway-address command to configure the gateway address in IPv4 format. NOTE Specifying an IPv4 address with a subnet mask is not supported. Instead, enter a prefix number. To enter a prefix number for a network mask, type a forward slash ( / ) and the number of bits in the mask immediately after the IP address. For example, enter, /24 for an IP address that has a network mask with 24 significant ( mask ) bits. switch# configure terminal Entering configuration mode terminal switch(config)# interface Management 1/0 switch(config-management-1/0)# no ip address dhcp switch(config-management-1/0)# ip address /20 switch(config-management-1/0)# ip gateway-address Brocade Network OS Administrator s Guide

47 Configuring the Ethernet management interface 3 Configuring an IPv4 address with DHCP By default, DHCP is disabled. You must explicitly enable the service with the ip address dhcp command. The Network OS DHCP client supports the following parameters: External Ethernet port IP addresses and prefix length Default gateway IP address When you connect the DHCP-enabled switch to the network and power on the switch, the switch automatically obtains the Ethernet IP address, prefix length, and default gateway address from the DHCP server. The DHCP client can only connect to a DHCP server on the same subnet as the switch. Do not enable DHCP if the DHCP server is not on the same subnet as the switch. Use the no ip address dhcp command to disable DCHP. NOTE Enabling DHCP removes all configured static IPv4 addresses. Configuring a static IPv6 Ethernet address 1. Issue the configure terminal command to enter the global configuration mode. 2. Enter the interface Management switchid/0 command. There is only one management port on the VDX 6720 switches and the port number is Enter the ipv6 address IPv6_addresss/prefix_length command. switch# configure terminal Entering configuration mode terminal switch(config)# interface Management 1/0 switch(config-management-1/0)# ipv6 address \ fd00:60:69bc:832:e61f:13ff:fe67:4b94/64 Stateless IPv6 autoconfiguration The IPv6 protocol allows assignment of multiple IP addresses to each network interface. Each interface is configured with a link local address in almost all cases, but this address is only accessible from other hosts on the same network. To provide for wider accessibility, interfaces are typically configured with at least one additional global scope IPv6 address. IPv6 autoconfiguration allows more IPv6 addresses, the number of which is dependent on the number of routers serving the local network and the number of prefixes they advertise. When IPv6 autoconfiguration is enabled, the platform will engage in stateless IPv6 autoconfiguration. When IPv6 autoconfiguration is disabled, the platform will relinquish usage of any autoconfigured IPv6 addresses that it may have acquired while IPv6 autoconfiguration was enabled. This same enabled and disabled state also enables or disables the usage of a link local address for each managed entity (though a link local address will continue to be generated for each switch) because those link local addresses are required for router discovery. The enabled or disabled state of autoconfiguration does not affect any static IPv6 addresses that may have been configured. Stateless IPv6 autoconfiguration and static IPv6 addresses can co-exist. Brocade Network OS Administrator s Guide 23

48 3 Configuring the Ethernet management interface Setting IPv6 autoconfiguration 1. Issue the configure terminal command to enter the global configuration mode. 2. Take the appropriate action based on whether you want to enable or disable IPv6 autoconfiguration: Enter the ipv6 address autoconfig command to enable IPv6 autoconfiguration for all managed entities on the target platform. Enter the no ipv6 address autoconfig command to disable IPv6 autoconfiguration for all managed entities on the target platform. Displaying the network interface If an IP address has not been assigned to the network interface, you must connect to the Network OS CLI using a console session on the serial port. Otherwise, connect to the switch through Telnet or SSH. Enter the show running-config interface Management command to display the network interface, as shown in the following example. switch#show running-config interface Management 1/0 interface Management 1/0 no ip address dhcp ip address /20 ip gateway-address ipv6 address fd00:60:69bc:832:e61f:13ff:fe67:4b94/64 no ipv6 address autoconfig Configuring the management interface speed By default, the speed of the interface is set to autoconfiguration, which means the interface speed is optimized dynamically depending on load and other factors. You can override the default with a fixed speed value of 10 Mbps Full Duplex or 100 Mbps Full Duplex. 1. Issue the configure terminal command to enter the global configuration mode. 2. Enter the interface Management command followed by switchid/0. 3. Enter the speed command with a question mark (?) to display the speed configuration options. 4. Re-enter the speed command with the selected speed parameter. 5. Enter the show running-config interface Management command to display the new settings. 6. Save the configuration changes using the copy running-config startup-config command. 7. Display the saved configuration. switch# configure terminal Entering configuration mode terminal switch(config)# interface Management 1/0 switch(config-management-1/0)# speed? switch(config-management-1/0)# speed 100 switch(config-management-1/0)#exit switch(config)# do show running-config interface Management 1/0 interface Management 1/0 no ip address dhcp ip address /20 ip gateway-address ipv6 address "" 24 Brocade Network OS Administrator s Guide

49 Configuring Inband Management interfaces 3 no ipv6 address autoconfig speed 100! switch(config)# do copy running-config startup-config switch(config)# do show interface Management 1/0 ip address /20 ip gateway-address ipv6 ipv6_address [ ] ipv6 ipv6_gateways [ fe80::21b:edff:fe0b:2400 ] LineSpeed Actual "100 Mbit, Duplex: Full" LineSpeed Configured "100 Mbit, Duplex: Full" Configuring Inband Management interfaces Inband Management on the Brocade VDX 6720 switches allows a management station to communicate with the CP through Layer 3-enabled front-end Ethernet ports. The purpose of this feature is to facilitate tasks such as downloading firmware, SNMP polling, SNMP traps, troubleshooting, and configuration when an out-of-band management interface is not available. NOTE You can only configure the Inband Management interface if the switch is in standalone mode. The management station can connect to the switch using SSH, SCP, or Telnet. Inband Management is supported on the following interfaces: VLAN Physical (router) ports Port-channel interfaces To implement Inband Management on the Brocade VDX 6720 switches, you must have an understanding of implementing IP routes and subnets. The front-end port that you configure acts as a router with IP forwarding implemented to allow communication to the CP through the port processors and then out of the ports. Therefore, it is necessary to implement numerous IP routes throughout the network to allow the communication to take place. The management station IP address and Ethernet port interface IP address must be in the same subnet, as shown in Figure 8. FIGURE 8 A management station communicating with the CP Brocade Network OS Administrator s Guide 25

50 3 Configuring Inband Management interfaces The configuration shown in Figure 8 supports the following operations: Connecting from the management station to Switch-A through an SSH or Telnet session. Connecting from Switch-A to Switch-B through an SSH or Telnet session. Transferring files between the management station and Switch-A using secure copy (SCP). Transferring files between Switch-A and Switch-B using secure copy (SCP). Provisioning an Inband Management interface 1. Connect to the switch through the serial console or through the management interface if available. 2. Issue the configure terminal command to enter the global configuration mode. 3. Enter the interface command followed by the interface type you want to configure. 4. Enter the ip address IPv4_address/prefix_length command to set the IPv4 address for the interface. NOTE You need to configure a primary IP address only. Secondary IP addresses are not supported. 5. Enter the ip mtu command to set the interface IP Maximum Transmission Unit (MTU) in bytes. 6. Enter the arp-ageing-timeout parameter (in minutes) to configure the interface timeout parameter for the Address Resolution Protocol (ARP). The default timeout value is 4 hours. 7. Clear the ARP cache using the clear-arp-cache command with the no-refresh option to delete unused ARP entries. 8. Configure a proxy ARP per interface with the ip proxy-arp command. 9. Display the configuration using the show ip interface command. switch# configure terminal Entering configuration mode terminal switch(config)# interface Vlan 2 switch(config-vlan-2)# ip address /24 switch(config-vlan-2)# ip mtu 1200 switch(config-vlan-2)# arp-ageing-timeout 300 switch(config-vlan-2)# clear-arp-cache no-refresh switch(config-vlan-2)# ip proxy-arp switch(config-vlan-2)# exit switch# show ip interface Vlan 2 Vlan 2 is up protocol is up Primary Internet Address is /24 broadcast is IP MTU is 1200 Proxy Arp is Enabled ICMP unreachablesare always sent ICMP mask replies are never sent IP fast switching is enabled 26 Brocade Network OS Administrator s Guide

51 Capturing support data 3 Capturing support data If you are troubleshooting a production system, you will have to capture data for further analysis or send the data to your switch service provider. The copy support command provides a mechanism for capturing critical system data and uploading the data to an external host or saving the data to an attached USB device. Uploading supportsave data to an external host To upload supportsave data interactively, enter the copy support-interactive command and provide input as prompted. For a non-interactive version of the command, refer to the Network OS Command Reference. switch#copy support-interactive Server Name or IP Address: Protocol (ftp, scp): ftp User: admin Password: ******** Directory:/home/admin/support VCS support [Y]: n Saving supportsave data to an attached USB device You can use a Brocade-branded USB device to save the support data. The Brocade-branded USB device comes with factory-configured default directories and interacts with the Network OS CLI. 1. Enable the USB device with the usb on command. 2. Enter the usb dir command to display the default directories. 3. Enter the copy support directory directory command. switch#usb on USB storage enabled switch#usb dir firmwarekey\ 0B 2010 Aug 15 15:13 support\ 106MB 2010 Aug 24 05:36 support1034\ 105MB 2010 Aug 23 06:11 config\ 0B 2010 Aug 15 15:13 firmware\ 380MB 2010 Aug 15 15:13 Available space on usbstorage 74% switch#copy support usb directory support Additional suppportsave configuration commands Use the following commands to configure additional supportsave data collection parameters: Use the support command to disable or enable the first-fault data capture (FFDC). FFDC is enabled by default. You must first enter the global configuration mode with the configure command before you can configure FFDC. Use the show support command to display a list of core files on the switch. Use the clear support command to erase support data on the switch. Refer to the Network OS Command Reference for more information on these commands. Brocade Network OS Administrator s Guide 27

52 3 Setting up a syslog server Setting up a syslog server The system logging daemon (syslogd) is an IP-based service for logging system messages. The syslog daemon is part of the UNIX and Linux operating systems. It is available as a third-party application for Windows operating systems. You can configure your switch to forward system events and error messages to log files on a remote server. The server can be running UNIX, Linux, or any other operating system that supports the standard syslogd functionality. Configuring for syslog message forwarding involves configuring the server IP address in IPv4 format. Adding a syslog server 1. Issue the configure terminal command to enter the global configuration mode. 2. Enter the logging syslog-server command and specify the server IP address. 3. Repeat the command with another server IP address to add another server. 4. Enter the do show running-config logging syslog-server command to verify the configuration. switch#configure terminal Entering configuration mode terminal switch(config)# logging syslog-server switch(config)# logging syslog-server switch(config)# logging syslog-server switch(config)# logging syslog-server switch(config)# do show running-config logging syslog-server logging syslog-server logging syslog-server logging syslog-server logging syslog-server NOTE The logging syslog-server command accepts IPv4 addresses only. You can specify up to four host IP addresses for storing syslog messages. Removing a syslog server 1. Issue the configure terminal command to enter the global configuration mode. 2. Enter the no logging syslog-server command and specify the server IP address. 3. Enter the do show running-config logging syslog-server command to verify the configuration. switch#configure terminal Entering configuration mode terminal switch(config)# no logging syslog-server switch(config)# do show running-config logging syslog-server logging syslog-server logging syslog-server logging syslog-server Brocade Network OS Administrator s Guide

53 Configuring the RASlog console 3 Configuring the RASlog console RASlog messages record system events filtered by configured severity levels. Each message includes a time stamp, a message ID, an external sequence number, a severity level, the chassis name, and the message body. You can configure the RASlog console to filter messages by severity level, display the messages on the local switch, and clear all messages, For more information, refer to the Network OS Message Reference. Displaying the RASlog messages To display the RASlog messages, enter the show logging raslog command, as shown in the following example. switch# show logging raslog NOS: v /03/11-20:12:03, [NSM-2006], 13187,, INFO, AMPP_SK_112, Port-profile aa1 removed successfully on TenGigabitEthernet 2/0/ /03/11-20:12:24, [NSM-2004], 13188,, INFO, AMPP_SK_112, Port-profile aa1 application succeeded on TenGigabitEthernet 2/0/ /03/11-20:15:56, [HIL-1404], 13189,, WARNING, Brocade8000, 1 fan FRUs missing. Install fan FRUs immediately. 2000/03/11-20:19:33, [NSM-2006], 13190,, INFO, AMPP_SK_112, Port-profile aa1 removed successfully on TenGigabitEthernet 2/0/ /03/11-20:26:02, [HIL-1404], 13191,, WARNING, Brocade8000, 1 fan FRUs missing. Install fan FRUs immediately. 2000/03/11-20:26:03, [NSM-2004], 13192,, INFO, AMPP_SK_112, Port-profile aa1 application succeeded on TenGigabitEthernet 2/0/ /03/11-20:31:33, [NSM-2006], 13193,, INFO, AMPP_SK_112, Port-profile aa1 removed successfully on TenGigabitEthernet 2/0/14 (output truncated) Setting the RASlog severity filter You can choose one of the following severity levels to filter RASlog messages: INFO (default), WARNING, ERROR, or CRITICAL. Input values are case-sensitive. The configured severity level marks the reporting threshold. All messages with the configured severity or higher are displayed. 1. Issue the configure terminal command to enter the global configuration mode. 2. Enter the logging switchid switchid raslog console command followed by a severity level. 3. Save the configuration changes using the do copy running-config startup-config command. switch#configure terminal Entering configuration mode terminal switch(config)# logging switchid 2 raslog console WARNING switch(config)# do copy running-config startup-config switch# show logging raslog NOS: v2.0.0 Brocade Network OS Administrator s Guide 29

54 3 Configuring the RASlog console 2000/03/11-20:15:56, [HIL-1404], 13189,, WARNING, Brocade8000, 1 fan FRUs missing. Install fan FRUs immediately. 2000/03/11-20:26:02, [HIL-1404], 13191,, WARNING, Brocade8000, 1 fan FRUs missing. Install fan FRUs immediately. (output truncated) Clearing the RASlog Enter the clear logging raslog command to erase all RASlog messages on the local switch. 30 Brocade Network OS Administrator s Guide

55 Network Time Protocol Chapter 4 In this chapter Time settings Time zone settings Network Time Protocol (NTP) maintains uniform time across all switches in a network. The NTP commands support the configuration of an external time server to maintain synchronization between all local clocks in a network. To keep the time in your network current, it is recommended that each switch have its time synchronized with at least one external NTP server. External NTP servers should be synchronized among themselves in order to maintain fabric-wide time synchronization. All switches in the fabric maintain the current clock server value in nonvolatile memory. By default, this value is the local clock server of the switch. Time settings The ntp server command accepts server addresses in IPv4 or IPv6 format. When multiple NTP server addresses are in the list, the ntp server command sets the first obtainable address as the active NTP server. If there are no reachable time servers, then the local switch time is the default time. Network time synchronization is only guaranteed when a common external time server is used by all switches. Synchronizing the local time with an external source Use the ntpserver command to add an NTP server IP address to a list of server IP addresses. 1. Enter the configure terminal command. 2. Enter the ntp server command: switch(config)# ntp server Brocade Network OS Administrator s Guide 31

56 4 Time zone settings Removing an NTP server IP address Use the no ntp server command to remove an NTP server IP address from a list of server IP addresses. 1. Enter the configure terminal command. 2. Enter the no ntp server command: switch(config)# no ntp server Displaying an NTP server IP address Use the show ntp status command to display the current active NTP server IP address or LOCL (for local switch time when no NTP servers were configured or no reachable NTP servers are available). The request is for the local switch unless a switch ID is specified. Specify the all parameter to send the request to all switches in the cluster. Enter the show ntp status command: switch# show ntp status [switchid id all] Time zone settings Switch operation does not depend on a date and time setting. However, having an accurate time setting is needed for accurate logging and audit tracking. You can set the time zone by specifying one of the following regions: Africa, America, Pacific, Europe, Antarctica, Arctic, Asia, Australia, Atlantic, Indian, or also state and longitudinal city. The time zone setting has the following characteristics: The setting automatically adjusts for Daylight Savings Time. Changing the time zone on a switch updates the local time zone setup and is reflected in local time calculations. By default, all switches are in the Greenwich Mean Time (GMT) time zone (0,0). If all switches in a fabric are in one time zone, it is possible for you to keep the time zone setup at the default setting. System services that have already started will reflect the time zone changes only after the next reboot. Time zone settings persist across failover for high availability. Time zone settings are not affected by NTP server synchronization. 32 Brocade Network OS Administrator s Guide

57 Time zone settings 4 Setting the clock The following procedure sets the local clock date and time. An active NTP server, if configured, automatically updates and overrides the local clock time. Time values are limited to between January 1, 1970 and January 19, NOTE You should only set the clock if there are no NTP servers configured. Time synchronization from NTP servers overrides the local clock. Enter clock set CCYY-MM-DDTHH:MM:SS where CCYY-MM-DDTHH:MM:SS = year-month-daythours:minutes:seconds. switch# clock set T12:15:00 Setting the time zone The following procedure describes how to set the time zone for a switch. You must perform the procedure on all switches for which the time zone must be set. However, you only need to set the time zone once on each switch because the value is written to nonvolatile memory. Enter the clock timezone region [/country /state/] city command. switch# clock timezone America/California Removing the time zone setting The following procedure removes the time zone setting for the local clock. Enter the no clock timezone command. switch# no clock timezone Displaying the current local clock and timezone The following procedure returns the local time, date, and time zone. The local clock is used unless a switch ID is specified. Specify the all parameter to request local clocks from all switches in the cluster. Enter the show clock command. switch# show clock [switchid id all] Brocade Network OS Administrator s Guide 33

58 4 Time zone settings 34 Brocade Network OS Administrator s Guide

59 Configuration Management Chapter 5 In this chapter Switch configuration overview Flash file management Configuration file types Saving configuration changes Configuration backup Configuration restoration Configuration management in VCS mode Switch configuration overview Maintaining consistent configuration settings among switches in the same fabric is an important part of switch management and minimizes fabric disruptions. As part of standard maintenance procedures, it is recommended that you back up all important configuration data for every switch on an external host for emergency reference. Typical configuration management tasks include the following actions: Saving the running configuration to the startup configuration file ( Saving configuration changes on page 38). Uploading the configuration files to a remote location ( Configuration backup on page 39). Restoring a configuration file from a remote archive ( Configuration restoration on page 40). Archiving configuration files for all your switches to a remote location ( Configuration management in VCS mode on page 41). Downloading a configuration file from a remote location to multiple switches ( Configuration management in VCS mode on page 41). Flash file management Brocade Network OS provides a set of tools for removing, renaming, and displaying files you create in the switch flash memory. You can use the display commands with any file, including the system configuration files. The rename and delete commands only apply to copies of configuration files you create in the flash memory. You cannot rename or delete any of the system configuration files. Listing the contents of the flash memory To list the contents of the flash memory, enter the dir command. Brocade Network OS Administrator s Guide 35

60 5 Flash file management switch#dir drwxr-xr-x 2 root sys 4096 Feb 13 00:39. drwxr-xr-x 3 root root 4096 Jan rwxr-xr-x 1 root sys 417 Oct defaultconfig.novcs -rwxr-xr-x 1 root sys 697 Oct defaultconfig.vcs -rw-r--r-- 1 root root 6800 Feb 13 00:37 startup-config Deleting a file from the flash memory To delete a file from the flash memory, enter the delete file command. switch#delete myconfig Renaming a file To rename a file in the the flash memory, enter the rename source_file destination_file command. switch#rename myconfig myconfig_ Viewing the contents of a file in the flash memory To investigate the contents of a file in the flash memory, enter the show file file command switch# show file defaultconfig.novcs! no protocol spanning-tree! vlan dot1q tag native! cee-map default remap fabric-priority priority 0 remap lossless-priority priority 0 priority-group-table 1 weight 40 pfc on priority-group-table 2 weight 60 pfc off priority-table ! interface Vlan 1 shutdown! port-profile default vlan-profile switchport switchport mode trunk switchport trunk allowed vlan all! protocol lldp! end! NOTE To display the contents of the running configuration, use the show running-config command. To display the contents of the startup configuration, use the show startup-config command. 36 Brocade Network OS Administrator s Guide

61 Configuration file types 5 Configuration file types Brocade Network OS supports three types of configuration files. Table 5 lists the standard configuration files and their functions. TABLE 5 Standard switch configuration files Configuration file Description Default configuration defaultconfig.novcs defaultconfig.vcs Startup configuration startup-config Running configuration running-config Part of the Network OS firmware package. The default configuration is applied, if no customized configuration is available. There are different default configuration files for standalone and VCS mode. Configuration effective on startup and after reboot. Current configuration active on the switch. Whenever you make a configuration change, it is written to the running configuration. The running configuration does not persist across reboot, unless you copy it to the startup configuration. Configuration management follows a transaction model. When you boot up a switch for the first time, the running configuration is identical to the startup configuration. As you configure the switch, the changes are written to the running configuration. To save the changes, you must save the currently effective configuration (the running configuration) as the startup configuration. When the switch reboots, the configuration changes become effective. Default configuration Network OS provides two different configuration files for switches in standalone and VCS mode. When you change from standalone to VCS mode, the system chooses the appropriate default configuration based on the mode (VCS or standalone). Default configuration files are part of the Network OS firmware package and are automatically applied to the startup configuration under the following conditions: When the switch boots up for the first time and no customized configuration is available. When you enable or disable VCS mode, the appropriate default configuration is applied when the switch reboots. When you restore the default configuration. You cannot remove, rename, or change the default configuration. Displaying the default configuration To display the default configuration, enter the show file file command. switch# show file defaultconfig.novcs switch# show file defaultconfig.vcs Startup configuration The startup configuration is persistent. It is applied when the system reboots. When the switch boots up for the first time, the switch uses the default configuration as the startup configuration, depending on the mode. Brocade Network OS Administrator s Guide 37

62 5 Saving configuration changes The startup configuration always matches the current VCS mode. It is deleted when you change modes, unless you make a backup copy. When you make configuration changes to the running configuration and save the changes to the startup configuration with the copy command, the running configuration becomes the startup configuration. Displaying the startup configuration To display the contents of the startup configuration, enter the show startup-config command. switch# show startup-config Running configuration The configuration currently effective on the switch is referred to as the running configuration. Any configuration change you make while the switch is online is made to the running configuration. The running configuration is nonpersistent. To save configuration changes, you must copy the running configuration to the startup configuration. If you are not sure about the changes, you can copy the changes to a file, and apply the changes later. Displaying the running configuration To display the contents of the running configuration, enter the show running-config command. switch# show running-config Saving configuration changes Configuration changes are nonpersistent and are lost on reboot unless you save them permanently. You have two options for saving configuration changes: Copy the running configuration to the startup configuration. The changes become effective upon reboot. Copy the running configuration to a file, and apply it at some later date. NOTE Always make a backup copy of your running configuration before you upgrade or downgrade the firmware. Saving the running configuration To save the configuration changes you made, copy the running configuration to the startup configuration. The next time the switch reboots, it uses the startup configuration and the changes you made earlier become effective. Enter the copy running-config startup-config command. switch# copy running-config startup-config copy running-config startup-config This operation will modify your startup configuration. Do you want to continue? [Y/N]: y 38 Brocade Network OS Administrator s Guide

63 Configuration backup 5 Saving the running configuration to a file If you want to save the changes you made to the configuration, but you do not want the changes to take effect when the switch reboots, you can save the running configuration to a file. You can apply the changes at some later time. 1..Enter the copy running-config file command. Specify the file name as the file URL. switch# copy running-config flash//:myconfig 2. Verify the transaction by listing the directory contents. switch# dir total 32 drwxr-xr-x 2 root sys 4096 Feb 17 17:50. drwxr-xr-x 3 root root 4096 Jan rwxr-xr-x 1 root sys 417 Oct defaultconfig.novcs -rwxr-xr-x 1 root sys 697 Oct defaultconfig.vcs -rw-r--r-- 1 root root 6777 Feb 17 17:50 myconfig -rw-r--r-- 1 root root 6800 Feb 13 00:37 startup-config Applying previously saved configuration changes When you are ready to apply the configuration changes you previously saved to a file, copy the file (myconfig in the example) to the startup configuration. The changes take effect after the switch reboots. 1. Enter the copy file startup-config command. Specify the file name as the file URL. switch# copy flash//:myconfig startup-config This operation will modify your startup configuration. Do you want to continue? [Y/N]: y Configuration backup Always keep a backup copy of your configuration files, so you can restore the configuration in the event the configuration is lost or you make unintentional changes. The following recommendations apply: Keep backup copies of the startup configuration for all switches in the fabric. Upload the configuration backup copies to an external host or to an attached Brocade-branded USB device. Avoid copying configuration files from one switch to another. Instead restore the switch configuration files from the backup copy. Uploading the startup configuration to an external host Enter the copy startup-config destination_file command. In the following example, the startup configuration is copied to a file on a remote server using FTP. switch#copy startup-config ftp://admin:******@ /archive/startup-config_vdx24-08_ Brocade Network OS Administrator s Guide 39

64 5 Configuration restoration Backing up the startup configuration to an attached USB device When you make a backup copy of a configuration file on an attached USB device, the destination file is the file URL on the USB device. You do not need to specify the target directory. The file is automatically recognized as a configuration file and stored in the default configuration directory. 1. Enable the USB device. switch#usb on USB storage enabled 2. Enter the copy startup-config destination_file command. switch#copy startup-config usb://startup-config_vdx24-08_ Configuration restoration Restoring a configuration involves overwriting a given configuration file on the switch by downloading an archived backup copy from an external host or from an attached USB device. There are two typical scenarios. Restoring a previous startup configuration from backup on page 40 Restoring the default configuration on page 41 Restoring a previous startup configuration from backup You want to back out of configuration changes you made earlier by overwriting the startup configuration with a modified running configuration. You want to take the switch from VCS mode back to standalone mode and reapply your original standalone startup configuration. 1. Disable VCS mode and reboot the switch. The startup configuration associated with VCS mode is automatically deleted. The switch boots up in standalone mode and loads the corresponding default configuration. 2. Copy the archived startup configuration file from an FTP server or from an attached USB device to the running configuration. 3. Reboot the switch. switch# no vcs enable switch# reload switch# ftp://admin:******@ /archive/\ startup-config_vdx24-08_ running-config switch# reload ATTENTION Make sure that the configuration file you are downloading is the one that belongs to the switch you want to restore. It is a good idea to identify archived configuration files by switch name and date. 40 Brocade Network OS Administrator s Guide

65 Configuration management in VCS mode 5 Restoring the default configuration This restoration procedure resets the configuration to the factory defaults. The default configuration files for VCS and standalone mode are always present on the switch and can be restored easily with the copy command. Enter the copy source_file destination_file command to overwrite the startup configuration with the default configuration. switch# copy falsh://defaultconfig.novcs startup-config This operation will modify your startup configuration. Do you want to continue? [Y/N]: y Configuration management in VCS mode When configuring Ethernet fabric parameters and software features on multiple switches, you can upload a configuration file from one switch and download it to the other switches in the fabric. NOTE The switches should be of the same model to share a configuration file. Downloading a configuration file from a Brocade VDX to a Brocade VDX or to a switch with a different firmware version may cause the switch to misapply the configuration and lead to unpredictable behavior. If you need to reset affected switches, restore the default configuration as described in Restoring the default configuration on page 41. Downloading a configuration to multiple switches 1. Configure one switch. 2. Copy the running configuration to the startup configuration as described in Saving the running configuration on page Upload the configuration to an external host ( Uploading the startup configuration to an external host on page 39) or to an attached USB device as described in Backing up the startup configuration to an attached USB device on page Download the configuration file to each of the target switches. Refer to Configuration restoration on page 40 for more information. Brocade Network OS Administrator s Guide 41

66 5 Configuration management in VCS mode 42 Brocade Network OS Administrator s Guide

67 Installing and Maintaining Firmware Chapter 6 In this chapter Firmware upgrade overview Before you begin Downloading the firmware from a remote server Downloading firmware from a USB device Evaluating a firmware upgrade Firmware upgrade in VCS mode Firmware upgrade overview Brocade firmware upgrades consist of multiple firmware packages listed in a.plist file. The.plist file contains specific firmware information (time stamp, platform code, version, and so forth) and the names of the firmware packages to be downloaded. These packages are made available periodically to add features or to remedy defects in the firmware. You can download the firmware from a remote server or from an attached Brocade-branded USB device. The switch maintain two partitions of nonvolatile storage areas, a primary and a secondary partition, to store two firmware images. By default, the firmware download process consists of the following steps: 1. The operating system downloads the new image to the secondary partition. 2. The operating system performs an automatic reboot and swaps partitions. When the switch comes back up, the former secondary partition is now the primary partition. 3. The new image is copied from the primary partition to the secondary partition. If the firmware download process is interrupted by an unexpected reboot, the system will automatically recover the secondary partition (the original firmware). You must wait for the recovery to complete before issuing another firmware download command. ATTENTION In the Network OS v2.0.0 release, the firmware download command is supported on the local switch only. To upgrade all switches in the fabric, refer to Firmware upgrade in VCS mode on page 48. Brocade Network OS Administrator s Guide 43

68 6 Before you begin Before you begin To prepare for a firmware upgrade, perform the tasks listed in this section. In the unlikely event of a failure or time-out, you will be able to provide your switch support provider the information required to troubleshoot the firmware download. 1. Verify the current firmware version. Refer to Getting the switch firmware version on page 44 for details. 2. Back up your switch configuration prior to the firmware download. Refer to Configuration backup on page 39 for details. 3. Optional: For additional support, connect the switch to a computer with a serial console cable. Ensure that all serial consoles and any open network connection sessions, such as Telnet, are logged and included with any trouble reports. 4. Enter the copy support command to collect all current core files prior to executing the firmware download. This information helps to troubleshoot the firmware download process in the event of a problem. 5. Optional: Enter the clear logging raslog command to erase all existing messages in addition to internal messages. Getting the switch firmware version Enter the show version command to get the following information: Network Operating System Version - The firmware version number Build Time - The build date and time of the firmware Firmware name - The label of the firmware image Control Processor - CP model and memory Obtaining and decompressing firmware Firmware upgrades are available for customers with support service contracts and for partners on the Brocade website at You must decompress the firmware package before you can use the firmware download command to update the firmware on your equipment. Use the UNIX tar command for.tar files, the gunzip command for all.gz files, or a Windows unzip program for all.zip files. When you unpack the downloaded firmware, it expands into a directory that is named according to the firmware version. The firmware download command, when issued with the path to the directory where the firmware is stored, performs an automatic search for the correct package file type associated with the switch. Downloading the firmware from a remote server Under normal circumstances, it is recommended to run the firmware download command in the default mode. Do not disable autocommit mode unless you want to evaluate a firmware upgrade before committing to it. Refer to Evaluating a firmware upgrade on page 46 for details about overriding the autocommit mode. 44 Brocade Network OS Administrator s Guide

69 Downloading the firmware from a remote server 6 When upgrading multiple switches, complete the following steps on each switch before you upgrade the next one. 1. Verify that the FTP or SSH server is running on the remote server and that you have a valid user ID and password on that server. 2. Download the firmware package from the Brocade website and store the file on the FTP or SSH server. To download the firmware from an attached USB device, refer to Downloading firmware from a USB device on page Decompress the firmware archive. 4. Issue the show version command to determine the current firmware version. 5. Enter the firmware download interactive command to download the firmware interactively. When promoted for input, choose defaults whenever possible. NOTE To be able to mention the FTP server by name, a Domain Name Server (DNS) entry must exist for the server. 6. At the Do you want to continue (Y/N) [Y]: prompt, enter y. 7. While the upgrade is proceeding, you can start a separate CLI session on the switch and use the show firmwaredownloadstatus command to monitor the upgrade progress. 8. After the switch reboots, enter the show version command to verify the firmware upgrade. switch#firmware download interactive Server Name or IP Address: File Name: nos_2.0.0 Protocol (ftp, scp): ftp User: admin Password:****** Do Auto-Commit after Reboot [Y]:y Reboot system after download [Y]:y This command will cause a cold/disruptive reboot and will require that existing telnet, secure telnet or SSH sessions be restarted. Do you want to continue (Y/N) [Y]: y Server IP: , Protocol IPv4 Checking system settings for firmware download... System settings check passed. You are running 'firmware download' with auto-reboot and auto-commit enabled. After the firmware is downloaded the system will reboot and commit firmware automatically. 2010/09/23-14:31:44, [SULB-1001], 64858, WARNING, VDX , Firmwaredownload command has started. 2010/09/23-14:31:44, [SULB-1036], 64859, INFO, VDX , The current Version: NOS v _bld16 dir ################################################## ldconfig ################################################## glibc ################################################## [output truncated] Brocade Network OS Administrator s Guide 45

70 6 Downloading firmware from a USB device CAUTION Do not interrupt the firmware download process. If you encounter a problem, wait for the time-out (30 minutes for network problems) before issuing the firmware download command again. Disrupting the process (for example, by disconnecting the switch from the power source) can render the switch inoperable and may require you to seek help from your switch service provider. Downloading firmware from a USB device The Brocade VDX 6720 switches support firmware download from a Brocade-branded USB device. Third-party USB devices are not supported. Before you can access the USB device, you must enable the device and mount it as a file system. The firmware images to be downloaded must be stored in the factory-configured firmware directory. Multiple images can be stored under this directory. 1. Ensure that the USB device is connected to the switch. 2. Enter the usb on command. switch#usb on Trying to enable USB device. Please wait... USB storage enabled 3. Optional: Enter the usb dir command. switch#usb dir firmwarekey\ 0B 2010 Aug 15 15:13 support\ 106MB 2010 Aug 24 05:36 config\ 0B 2010 Aug 15 15:13 firmware\ 380MB 2010 Aug 15 15:13 NOS_v2.0.0\ 379MB 2010 Aug 15 15:31 Available space on usbstorage 74% 4. Enter the firmware download usb command followed by the relative path to the firmware directory. switch# firmware download usb directory firmware/nos_v Optional: Unmount the USB storage device. switch#usb off Trying to disable USB device. Please wait... USB storage disabled. Evaluating a firmware upgrade You can restore a previous firmware version after briefly evaluating a newer (or older) version. To enable firmware restoration, you run the firmware download command with the nocommit option. This prevents firmware download from copying the firmware to both partitions. Evaluating a firmware upgrade in this manner ensures that you do not replace existing firmware and will be able to restore the previous firmware version. ATTENTION When you evaluate a firmware upgrade, make sure you disable all features that are supported only by the upgraded firmware before restoring the original version. 46 Brocade Network OS Administrator s Guide

71 Evaluating a firmware upgrade 6 Downloading firmware to a single partition 1. Verify that the FTP or SSH server is running on the host server and that you have a user ID on that server. 2. Obtain the firmware file from the Brocade website at or from your switch support provider and store the file on the FTP or SSH server. 3. Unpack the compressed firmware archive. 4. Enter the show version command to view the current firmware version. 5. Enter the firmware download interactive command and respond to the prompts. 6. At the Do Auto-Commit after Reboot [Y] prompt, enter n. switch#firmware download interactive Server Name or IP Address: File Name: nos2.0.0 Protocol (ftp, scp): ftp User: admin Password:****** Do Auto-Commit after Reboot [Y]:n Reboot system after download [Y]:y This command will cause a cold/disruptive reboot and will require that existing telnet, secure telnet or SSH sessions be restarted. Do you want to continue (Y/N) [Y]: y Server IP: , Protocol IPv4 Checking system settings for firmware download... System settings check passed. You are running 'firmware download' with auto-commit disabled. After the system is rebooted, please run 'firmware commit' or 'firmware restore' manually. 2010/09/23-14:31:44, [SULB-1001], 64858, WARNING, VDX , Firmwaredownload command has started. 2010/09/23-14:31:44, [SULB-1036], 64859, INFO, VDX , The current Version: NOS v _bld16 dir ################################################## ldconfig ################################################## glibc ################################################## [output truncated] The switch will perform a reboot and come up with the new firmware. Your current switch session will automatically disconnect. 7. Enter the show version command to confirm that the primary partition of the switch contains the new firmware. You are now ready to evaluate the new version of firmware. ATTENTION If you want to restore the firmware, stop here and skip ahead to Restoring the previous firmware version on page 48; otherwise, continue to Committing the firmware upgrade on page 48 to complete the firmware download process. Brocade Network OS Administrator s Guide 47

72 6 Firmware upgrade in VCS mode Committing the firmware upgrade If you decide to keep the firmware upgrade, use the firmware commit command to update the secondary partition with new firmware. It may take several minutes to complete the commit operation. 1. Enter the firmware commit command. switch# firmware commit Validating primary partition... Doing firmwarecommit now. Please wait... Replicating kernel image... FirmwareCommit completes successfully. 2. Enter the show version command. Both partitions on the switch should contain the new firmware. Restoring the previous firmware version Use the firmware restore command to back out of a firmware upgrade. This option works only if autocommit mode was disabled during the firmware download. 1. Enter the firmware restore command. The switch will reboot and come up with the original firmware. The firmware commit operation will begin to copy the original firmware from the secondary partition to the primary partition. When this process completes, both partitions will have the original firmware. It may take several minutes to complete the operation. 2. Wait five minutes to ensure that all processes have completed and the switch is fully up and operational. 3. Enter the show version command and verify that both partitions on the switch have the original firmware. Firmware upgrade in VCS mode In the Network OS v2.0.0 release, the firmware download command supports local switch upgrades only. To upgrade the entire cluster, you must execute the firmware download command on each switch separately. For each switch in the fabric, complete the firmware download on the current switch before initiating a firmware download on the next switch. This process minimizes traffic disruption between switches. Enter the show firmwaredownloadstatus command to verify that the download process is complete, and then move on to the next switch. 48 Brocade Network OS Administrator s Guide

73 Administering Licenses Chapter 7 In this chapter Licensing overview Permanent licenses Temporary licenses Managing licenses Dynamic Ports on Demand Licensing overview The Brocade Network Operating System (Network OS) includes platform support in standalone and VCS TM modes as well as optional features that are enabled by license keys. You can purchase Brocade licenses per product or per feature. Each switch in a fabric needs its own licenses, but universal licenses for multiple switches are available. Licenses may be part of the licensed paperpack supplied with your switch software, or you can purchase them separately from your switch vendor. Table 6 lists software features that require a license. TABLE 6 License Brocade licenses for optional Network OS features Description Dynamic Ports on Demand: PORTS_ON_DEMAND_1 PORTS_ON_DEMAND_2 Brocade VCS VCS_FABRIC FCoE FCOE_BASE A Dynamic POD license allows you to instantly scale the fabric by provisioning additional ports on the Brocade VDX 6720 platforms. Licenses are assigned dynamically from a pool of resources based on auto-detection of active links. With an eight-port POD license, you can upgrade from 16 ports to 24 ports on the Brocade VDX With a ten-port POD license, you can upgrade from 40 ports to 50 ports and with a second POD license to the full 60-port capacity on the Brocade VDX A Brocade VCS Fabric license allows you to provision a VCS fabric with up to ten Brocade VDX 6720 nodes. When there are more than two nodes in the fabric, each node must have a VCS Fabric license installed. You do not need a VCS Fabric license if your VCS fabric does not exceed two Brocade VDX 6720 nodes. Note that the Brocade VDX 6720 switches must be fully upgraded to 24 ports or to 60 ports using POD licenses before they can participate in a VCS fabric. An FCoE license enables FCoE on the Brocade VDX 6720 platforms. Since FCoE requires a VCS fabric, a VCS Fabric license is a prerequisite for enabling FCoE in a fabric with more than two switches. In addition, a separate FCoE license is required to enable FCoE on a VCS edge port. Without an FCoE license, FCoE logins are not permitted, and all FCoE commands with the exception of a few commands return an error of No FCoE license present when executed. Brocade Network OS Administrator s Guide 49

74 7 Permanent licenses Brocade offers three different models for the Network OS licensed features. They include permanent licenses and two types of temporary trial licenses: individual time-based licenses and universal time-based licenses. Permanent licenses A permanent license (also referred to as a chassis-wide license) has no expiration date and is locked to a single switch identified by the switch license ID. The switch license ID is initially the same as the switch World Wide Name (WWN). The switch WWN may change through configuration changes on the product, but the switch license ID remains unchanged. Use only the switch license ID to obtain licenses. Refer to Displaying the switch license ID on page 51 for instructions on how to obtain the license ID of your switch. Temporary licenses A temporary license (also known as a time-based license) allows you to evaluate a feature for a limited time prior to buying a permanent license. Brocade offers two types of temporary licenses: individual time-based licenses and universal time-based licenses. Individual time-based licenses An individual time-based license is locked to a single switch and has a fixed expiration date. You cannot install this license on multiple switches. Universal time-based licenses A universal time-based license allows you to use a given feature for a limited trial period defined in days, for example, 30, 60, or 90 days from the date you install the license key on the switch. Each universal license key is valid for a single feature and can be used on any product that supports the feature. In addition, each universal time-based license has an absolute shelf life after which it expires. You cannot install a license with an expired shelf life. The expiration date is based on the system time at the installation of the license plus the number of days that the universal time-based license is valid. For this reason, you cannot remove and reinstall a universal time-based license. License expiration When a time-based license expires, the feature continues to work while generating warning messages until the switch reboots. After the next reboot, the feature will no longer work. You can display expired licenses with the show license command. Expired licenses display a License has expired message. RASlog warning messages are generated every hour for licenses that have expired or will expire in the next five days. 50 Brocade Network OS Administrator s Guide

75 Managing licenses 7 Extending a license You extend a time-based license by adding another temporary license or by installing a permanent license. Re-installing a temporary license that has expired is not permitted. When you replace an expired license, the warning messages cease, if a reboot has not occurred since the expiration. You must reboot the switch for the new license to take effect. Usage restrictions The following restrictions apply to all time-based licenses: Time-based licenses are always retained in the license database and cannot be deleted. Once you have installed a time-based license, you cannot change the system date or time. NOTE Other mechanisms for changing date and time, such as Network Time Protocol (NTP), are not blocked. If you are using NTP to synchronize the time between your network devices, including switches or enterprise-class platforms, do not attempt to change the system date and time when a time-based license is installed. Managing licenses The following management tasks and associated commands apply to both permanent and temporary licenses. Displaying the switch license ID The switch license ID identifies the switch for which the license is valid. You will need the switch license ID when you activate a license key. To display the switch license ID, enter the show license id command. switch# show license id SwitchId LicenseId ======================================== 2 10:00:00:05:1E:00:4C:80 Obtaining a license key License upgrade orders are fulfilled either through a license activation paperpack, or by an message containing a transaction key and a link to the Brocade software portal. A device-specific license file is generated in the software portal when you enter the transaction key along with the switch license ID. Use the show license id command to obtain the switch license ID. Follow the instructions in the paperpack or the message as described for your platform and license type. The transaction key is case-sensitive; you must enter the key exactly as it appears in the paperpack. To lessen the chance of an error, copy and paste the transaction key when you install the license on your switch. You will receive an message with the software license keys embedded in an XML file along with installation instructions. Brocade Network OS Administrator s Guide 51

76 7 Managing licenses NOTE Store the license key in a safe place for future reference. The show license command does not print out the license key. Installing a license When you install licenses, some features require that you reboot the switch and some features require you to disable and re-enable ports or the entire switch. For example, the FCoE license requires a reboot, while the Dynamic POD licenses require you to disable and re-enable the chassis or the appropriate ports. Complete the following steps to install a license: 1. Open the message that contains the license key and extract the license key from the XML file. The license key is printed between the XML start <lickey> and end </lickey> tags. Be sure to copy the entire string, including spaces and non-alphanumeric characters. 1. Enter the license add licstr command followed by the license key and optionally a switch ID if you are installing the license on a remote switch. If the license key includes spaces, you must enclose the entire string in double quotation marks. 2. Verify that you added the license by entering the show license command. The command lists all licensed features currently installed on the switch. If the feature is not listed, enter the license add licstr command again. Depending on the license type, you may be prompted to reboot the switch or to enable the ports. Take the appropriate action as indicated by the command output. The following example adds a second Dynamic POD license on the local switch and verifies the transaction. The command prompts for disabling and then re-enabling the port or the switch. switch# license add licstr "*B slsetgztgevgudeqr4wifrx7mmxoddswenorgenamx3ca3uhezgxk0b,jzxyzfzklrmspn8clsxvd QRRT8VyuULyyKTO0ryU6qm4s1jjiSAeV,COoedzCx1v6ycQgnYMeSVp#" License Added [*B slsetgztgevgudeqr4wifrx7mmxoddswenorgenamx3ca3uhezgxk0b,jzxyzfzklrmspn8clsxvd QRRT8VyuULyyKTO0ryU6qm4s1jjiSAeV,COoedzCx1v6ycQgnYMeSVp#] For license change to take effect, please disable/enable port or switch... switch#chassis disable switch#chassis enable switch# show license SwitchId: 2 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx First Ports on Demand license - additional 10 port upgrade license Feature name:ports_on_demand_1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Second Ports on Demand license - additional 10 port upgrade license Feature name:ports_on_demand_2 The following example adds a VCS Fabric license on the local switch and verifies the transaction. The license takes effect immediately after the command is executed. No further action is required. switch# license add licstr "*B r84pnrthkdrzujmwaut63gorxipbhbzk0ckrq6bvvl3strvw1:fujanf av5w:gwx3hh2:9rsmv3bhfecrfm2gj9nlkrdiibpboa4xfsd2jf,xx1rwkslix8fh6gpx7,73t#" 52 Brocade Network OS Administrator s Guide

77 Managing licenses 7 Adding license [*B r84pnrthkdrzujmwaut63gorxipbhbzk0ckrq6bvvl3strvw1:fujanf av5w:gwx3hh2:9rsmv3bhfecrfm2gslj9nlkrdiibpboa4xfsd2jf,xx1rwkslix8fh6gpx7,73t# ] switch# show license SwitchId: 2 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx First Ports on Demand license - additional 10 port upgrade license Feature name:ports_on_demand_1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Second Ports on Demand license - additional 10 port upgrade license Feature name:ports_on_demand_2 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx VCS Fabric license Feature name:vcs The following example adds an FCoE license on the local switch and verifies the transaction. The command prompts for rebooting the switch. switch# license add licstr "*B :YFGuJSHxbhlWVwBHjmjfAO20R6QzolkyVR4oqJAU0fqhJRCTioav1A:HMah2E7uL4d8px4ySTAWS g809etclwfpljgxz1lvwiikewcfczmefx#" License Added [*B :YFGuJSHxbhlWVwBHjmjfAO20R6QzolkyVR4oqJAU0fqhJRCTioav1A:HMah2E7uL4d8px4ySTAWS g809etclwfpljgxz1lvwiikewcfczmefx#] For license change to take effect, please reboot the switch now... switch#configure Entering configuration mode terminal switch(config)#reload Are you sure you want to reload the switch [y/n]?: y switch# show license SwitchId: 2 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx First Ports on Demand license - additional 10 port upgrade license Feature name:ports_on_demand_1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Second Ports on Demand license - additional 10 port upgrade license Feature name:ports_on_demand_2 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx VCS Fabric license Feature name:vcs xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx FCoE Base license Feature name:fcoe_base Removing a license When you remove licenses, some features require that you reboot the switch and some features require you to disable and re-enable selected ports or the entire switch. For example, the FCoE license requires a reboot, while the Dynamic POD license requires you to disable and re-enable the chassis or the appropriate ports. Complete the following steps to remove a license: 1. Enter the show license command to display the active licenses. 2. Issue the license remove command followed by the license key or the feature name. Brocade Network OS Administrator s Guide 53

78 7 Dynamic Ports on Demand The license key is case-sensitive and must be entered exactly as shown. If the license key includes spaces, you must enclose the entire string in double quotation marks. 3. Take the appropriate action as indicated by the command output. Depending on the license type, you may be prompted to reboot the switch or to enable the ports. 4. Enter the show license command to verify that the license is removed. If there are no license keys, the command output displays No licenses. NOTE You must remember the original license string to use the license remove command with the licensestring operand. You cannot display the license key with the show license command. The following example illustrates the removal of an FCoE license by its feature name. switch# show license switchid 2 SwitchId: 2 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx FCoE Base license Feature name:fcoe_base xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx First Ports on Demand license - additional 10 port upgrade license Feature name:ports_on_demand_1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Second Ports on Demand license - additional 10 port upgrade license Feature name:ports_on_demand_2 switch# license remove switchid 2 "FCOE_BASE" License Removed [FCOE_BASE] For license change to take effect, please reboot the switch now... After a reboot, only the remaining licenses are displayed. switch# show license switchid 2 SwitchId: 2 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx First Ports on Demand license - additional 10 port upgrade license Feature name:ports_on_demand_1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Second Ports on Demand license - additional 10 port upgrade license Feature name:ports_on_demand_2 Dynamic Ports on Demand Dynamic Ports on Demand provides a flexible mechanism for allocating port licenses that you can purchase to extend the base functionality of the Brocade VDX 6720 switches. The additional ports are enabled after you install the appropriate license keys. The Dynamic POD feature assigns port licenses based on your connectivity choices. Any port on the switch can claim a free assignment from the pool of available POD licenses. 54 Brocade Network OS Administrator s Guide

79 Dynamic Ports on Demand 7 NOTE Dynamic POD management features are supported only in standalone mode. Because Brocade VCS TM technology requires full POD licensing, there is no need for reserving or removing port license assignments after you activate the POD licenses. Each port has a dedicated license. Consequently, all POD operations are disabled in VCS mode. In standalone mode, you cannot manage remote switches. In a Dynamic POD system, each port can be associated with one of three port sets: Base Port Set Ports that can be enabled without any POD license. Single POD License Port Set Ports that are assigned first and associated with the existence of a single POD license. Double POD License Port Set Ports that are assigned after the single POD port set is full and are therefore associated with the double POD license. NOTE Licenses are based on the license ID and are not interchangeable between units. For example, if you bought a single POD license for a Brocade VDX , you cannot use that license on another Brocade VDX or on a Brocade VDX You can purchase the Brocade VDX 6720 switches with the port options indicated in Table 7. You can activate unlicensed ports up to the maximum supported per switch by purchasing and installing additional POD licenses. TABLE 7 List of available ports when implementing PODs Platform Base port set Single POD set Double POD set Total ports Brocade VDX N/A 24 Brocade VDX If you purchase both a PORTS_ON_DEMAND_1 (POD1) license and a PORTS_ON_DEMAND_2 (POD2) license for the Brocade VDX , the system has a double POD license. If you purchased only one of these features (POD1 or POD2), the system has a single POD license. The specific POD license that is installed is not relevant to the port count determination. Only the number of installed POD licenses is relevant. The Brocade VDX only supports a single POD license. Automatic POD port assignments With the Dynamic POD feature, you can use the base port set plus the number of additional ports you purchased. All ports that do not receive a POD assignment and are trying to come online will go offline. The show ip interface brief and show interface tengigabitethernet slot/port commands display the reason for the port disabled status as related to POD licensing. The Dynamic POD mechanism detects the ports that have active links, and it makes assignments based on the remaining pool of vacancies: If the count of assigned ports is below the number of ports in the purchased POD set, additional dynamic assignments can be made at a later time as new links are established. If a port comes online, that port can get assigned if you still have vacancies in your POD set. Brocade Network OS Administrator s Guide 55

80 7 Dynamic Ports on Demand If the number of detected active links is greater than the number of ports in the purchased POD set, port assignments are made in the order in which the ports come online. Because the time it takes for each port to come online varies, the order in which ports are assigned to a given POD set cannot be guaranteed. If the given assignment order does not align with your intended use of the ports, you can make adjustments using the dpod slot/port reserve or the dpod slot/port release commands. Refer to Overriding Dynamic POD assignments on page 58 for more information. Mapping port assignments to a POD port set Ports are associated with the single or double POD license in the order in which they come online and automatically receive a license assignment from the pool of unassigned ports in the POD set. The first ports that receive a POD assignment are associated with the base port set. When all ports in the base port set are assigned, the next ports that come online receive assignments from the single POD license port set. When this set is full, the remaining port assignments are associated with the double POD license port set. The association of a specific port to a POD set matters only when you want to remove a POD license from the system. Ports assigned to the double POD license port set will be disabled first. The last-assigned licenses will be released first when you remove a POD licenses. See Releasing a port from a POD set on page 59 for more information. Activating the Dynamic POD feature To activate the dynamic POD feature, complete the following steps: 1. Verify the current states of the ports with the show ip interface brief command. The command output indicates whether a port is licensed. 2. Install the Brocade Dynamic POD license. For instructions on how to install a license, refer to Installing a license on page Use the shutdown and no shutdown command to disable and re-enable the ports. Alternatively, you can disable and re-enable the chassis to activate ports. 4. Use the show ip interface brief command to verify the newly activated ports. 5. Use the show interface tengigabitethernet slot/port command to display port details. The following example shows a Brocade VDX without a Dynamic POD license installed. The 16 ports in the base port set are online and assigned. The remaining 8 ports are unassigned and are down. switch#show ip interface brief Interface IP-Address Status Protocol ========= ========== ====== ======== TengigabitEthernet 0/1 unassigned up up TengigabitEthernet 0/2 unassigned up up TengigabitEthernet 0/3 unassigned up up TengigabitEthernet 0/4 unassigned up up TengigabitEthernet 0/5 unassigned up up TengigabitEthernet 0/6 unassigned administratively down down(no DPOD License) TengigabitEthernet 0/7 unassigned administratively down down(no DPOD License) TengigabitEthernet 0/8 unassigned up up TengigabitEthernet 0/9 unassigned up up 56 Brocade Network OS Administrator s Guide

81 Dynamic Ports on Demand 7 TengigabitEthernet 0/10 unassigned up up TengigabitEthernet 0/11 unassigned administratively down down(no DPOD License) TengigabitEthernet 0/12 unassigned administratively down down(no DPOD License) TengigabitEthernet 0/13 unassigned up up TengigabitEthernet 0/14 unassigned up up TengigabitEthernet 0/15 unassigned up up TengigabitEthernet 0/16 unassigned up up TengigabitEthernet 0/17 unassigned administratively down down(no DPOD License) TengigabitEthernet 0/18 unassigned administratively down down(no DPOD License) TengigabitEthernet 0/19 unassigned administratively down down(no DPOD License) TengigabitEthernet 0/20 unassigned administratively down down(no DPOD License) TengigabitEthernet 0/21 unassigned up up TengigabitEthernet 0/22 unassigned up up TengigabitEthernet 0/23 unassigned up up TengigabitEthernet 0/24 unassigned up up The following example displays details for a single port that is offline, because it does not have a POD license. switch# show interface tengigabitethernet 0/6 TengigabitEthernet 0/6 is down, line protocol is down (No DPOD License) Hardware is Ethernet, address is eb6.0a25 Current address is eb6.0a25 Tracking status: Disabled Tracked interfaces: None Pluggable media present, Media type is sfp Interface index (ifindex) is MTU 2500 bytes LineSpeed: Auto Mbit, Duplex: Full Flowcontrol rx: on, tx: on Displaying the Dynamic POD assignments To display the Dynamic POD assignments, enter the show dpod command. The show dpod command provides a summary of POD license status and POD license assignments. In the following example, all 24 ports are licensed and potentially available. The three unassigned ports are currently persistently disabled and therefore are not assigned to any Dynamic POD license port set. switch# show dpod 24 ports are available in this switch 1 POD license is installed Dynamic POD method is in use 24 port assignments are provisioned for use in this switch: 16 port assignments are provisioned by the base switch license 8 port assignments are provisioned by the first POD license * 0 more assignments are added if the second POD license is installed 21 ports are assigned to installed licenses: 16 ports are assigned to the base switch license 5 ports are assigned to the first POD license Ports assigned to the base switch license: Te 0/1, Te 0/10, Te 0/11, Te 0/12, Te 0/13, Te 0/14, Te 0/15, Te 0/16, Te 0/17, Te 0/18, Te 0/19, Te 0/20, Te 0/21, Te 0/22, Te 0/23, Te 0/24 Ports assigned to the first POD license: Te 0/5, Te 0/6, Te 0/7, Te 0/8, Te 0/9 Ports assigned to the second POD license: None Brocade Network OS Administrator s Guide 57

82 7 Dynamic Ports on Demand Ports not assigned to a license: Te 0/2, Te 0/3, Te 0/4 3 license reservations are still available for use by unassigned ports Overriding Dynamic POD assignments You can override the automatic port license assignments by releasing Dynamic POD assignments from a port and by reserving an assignment for a specific port. Reserving a port assignment Reserving an assignment for a port assigns that port to a POD license regardless of whether the port is online or offline. Reserving assignments allocates the POD license to specified ports. This operation overrides automatic port assignments. The reserved assignment will not be available to other ports that come online. To reserve an assignment for a port, a free assignment must be available. 1. Enter the show dpod command to determine the unassigned ports. If all ports are assigned, select a port to release its POD assignment. Follow the instructions in Releasing a port from a POD set on page 59 to release a port from its POD assignment. Once the port is released, you can reuse the assignment for another port. 2. Enter the global configuration mode by issuing the configure terminal command. 3. Select the port for which you want to reserve an assignment and issue the dpod reserve command. 4. Enter exit to return to the global configuration mode before you reserve another port. switch# configure terminal Entering configuration mode terminal switch(config)# dpod 0/10 reserve switch(config-dpod-0/10)# exit switch(config)# dpod 0/11 reserve switch0(config-dpod-0/11)# exit NOTE License reservations or removals do not persist across switch reboots and power cycles. To make them persistent, save the configuration changes by issuing the use copy running-config startup-config command before you reboot the switch. 5. Reboot the switch. 6. Enter the show running-config dpod command to verify the port is reserved. switch# show running-config dpod 0/10 dpod 0/10 reserve! switch# show running-config dpod 0/11 dpod 0/11 reserve! 7. Save the configuration changes. switch# copy running-config startup-config 58 Brocade Network OS Administrator s Guide

83 Dynamic Ports on Demand 7 Releasing a port from a POD set Once a port has been assigned to a Dynamic POD license port set, it remains licensed (or reserved ) until you remove the port from the port set. You remove a port from the port set by releasing the port with the dpod release command. Releasing a port removes it from the Dynamic POD license port set; the port appears as unassigned until it comes back online. To prevent a port from coming back online and taking a POD assignment, disable the port and save the running configuration. This will disable the port persistently. A port POD assignment can only be released if the port is currently offline. Use the shutdown command to disable the port or use the chassis disable command to disable the switch if you plan to release multiple ports. 1. Enter the global configuration mode by issuing the configure terminal command. 2. Select the interface for the port that you wish to disable using the interface slot/port. command. 3. Enter the shutdown command to take the port offline. 4. Enter exit to return to the global configuration mode before you release the port. 5. Enter the dpod release command to remove the port from the POD license. 6. Enter exit to return to the global configuration mode before you reserve another port. switch# configure terminal Entering configuration mode terminal switch(config)# interface 0/10 switch(conf-if-te-0/10)# shutdown switch(conf-if-te-0/10)# exit switch(config)# dpod 0/10 release switch(config-dpod-0/10)# exit switch(config)# dpod 0/11 release switch(config-dpod-0/11)# exit 7. Enter exit to return to the privileged EXEC mode. 8. Enter the show dpod command to verify that the port is no longer assigned to a POD set. 9. Enter the enable chassis command to bring the switch back online. 10. Save the configuration changes. switch# copy running-config startup-config NOTE Do not release a port unless you plan to disconnect the optical link or disable the port persistently. If you leave the link in a state where the port could be brought online, the POD mechanism will detect this unassigned port and attempt to reassign it to a port set. Brocade Network OS Administrator s Guide 59

84 7 Dynamic Ports on Demand 60 Brocade Network OS Administrator s Guide

85 Security Chapter 8 In this chapter Role management User management Role-based access control RADIUS TACACS Login authentication Passwords Role management A role is an entity that defines the access privileges of the user accounts on the switch. A user is associated with one role. Refer to Role-based access control on page 64 for information about how to assign permissions to the roles. Default roles Attributes of default roles cannot be modified; however, the default roles can be assigned to non-default user accounts. The following roles are default roles: The admin role has the highest privileges. All CLIs are accessible to the user associated with the admin role. The user role has limited privileges that are mostly restricted to show commands in the Privileged EXEC mode. User accounts associated with the user role cannot access configuration CLIs that are in the Global Configuration mode. The exit command and the no command are also available to the user role. Role attributes A role has two attributes: the name of the role and a description of the role. Name The role name is the only mandatory attribute. The role name must begin with a letter and must be from 4 through 32 characters in length. Numbers, alphabet characters, and underscores are allowed. The name cannot be the same as that of an existing user. Description A role description is optional. The description supports up to 64 characters and the characters can be anything from the printable ASCII character set, except for the following punctuation characters: single quote ( ), double quote ( ), exclamation point (!), colon (:), and semi-colon (;). When providing a role description, you must enclose the text in double quotes. Double quotes are needed only if the text contains spaces. Brocade Network OS Administrator s Guide 61

86 8 User management Adding or changing a role The maximum number of roles is 64. Refer to Role-based access control on page 64 for information about how to assign permissions to the roles. 1. Enter the configure terminal command. 2. Enter the role name command. Example of adding or changing a role named NetworkSecurityAdmin switch(config)# role name NetworkSecurityAdmin desc Manages security CLIs switch(config-name-networksecurityadmin)# Deleting a role 1. Enter the configure terminal command. 2. Enter the no role name command. Example of deleting a role named VLANAdmin switch(config)# no role name VLANAdmin Displaying a role Enter the show running-config role command. switch# show running-config role role name VLANAdmin desc Manage security CLIs role name NetworkAdmin desc Manages Network CLIs role name ClusterAdmin desc Manages Cluster CLIs User management A user must be assigned a role to determine authorized privilege levels to create, change, or delete other users. User attributes A user has the following attributes. NOTE The name, password, and role attributes are mandatory. Name The name of the user. The user name is case-sensitive, must not exceed 40 characters, and must begin with a letter. Allowable characters are letters, numbers, underscore ( ), and period(.). The name cannot be the same as that of an existing role. Password The user s password. Encryption level Represents whether the password input is in clear text or is encrypted. The values are 0 (clear text) and 7 (encrypted). Clear text (0) is the default. 62 Brocade Network OS Administrator s Guide

87 User management 8 Role The roles assigned to the user. Desc A description of the user. The description field cannot exceed 64 characters and can be comprised of any characters from the printable ASCII character set, except for single quotes ( ), double quotes ( ), an exclamation point (!), a colon (:), or a semi-colon (;). Double quotes are required if the text contains spaces. Enabled Reflects whether a user is enabled or disabled. A disabled user cannot log in. The default is enabled. The default users on a switch as part of the factory-default settings are admin and user. Only the admin and user users can access the CLI and except for the account password, no other attributes can be changed for the default users admin and user. Adding a user The maximum number of user accounts is 64. NOTE While the username and no username commands are Global Configuration commands, the unlock username command is a Privileged EXEC command. 1. Enter the configure terminal command. 2. Enter the username command. switch(config)# username brcduser role user password BwrsDbB+tABWGWpINOVKoQ==\ encryption-level 7 desc Brocade User enable true NOTE If enable is set to false, the user cannot log in. Changing a user All active login sessions of a user are terminated if the user s password or role is changed. NOTE While the username and no username commands are Global Configuration commands, the unlock username command is a Privileged EXEC command. The syntax for the add and change operations looks alike. The difference is that there are no mandatory parameters for the change operation. The system internally recognizes whether the operation is an add or change operation by checking whether the user is already present in the configuration. 1. Enter the configure terminal command. 2. Enter the username command. Example of changing a user (this example sets the default value to the desc attribute) switch(config)# username testuser enabled false switch(config-username-testuser)# desc "add op test user" switch(config)# no username testuser desc NOTE Using the no form of the username command terminates a user s login sessions. Brocade Network OS Administrator s Guide 63

88 8 Role-based access control Deleting a user All active login sessions for a user are terminated if the user account is deleted. NOTE While the username and no username commands are Global Configuration commands, the unlock username command is a Privileged EXEC command. 1. Enter the configure terminal command. 2. Enter the no username command. switch(config)# no username testuser Displaying a user Enter the show running-config username command. switch# show running-config username userbrocade username userbrocade desc " User to monitor" password $1$no$password-hidden role user enabled true Unlocking a user account A user account is locked by the system when the configured threshold for login retries has been reached. The login is on a per-switch basis. NOTE While the username and no username commands are Global Configuration commands, the unlock username command is a Privileged EXEC command. You can use the show users command to find the user accounts that are currently logged into the switch and the user accounts that are locked on the switch. Use the unlock username command to unlock a locked user account. 1. Enter the unlock username command. switch# unlock username testuser Result: Unlocking the user account is successful Role-based access control Role-based access control (RBAC) is used as the authorization mechanism. You can create roles dynamically and associate them with rules to define the permissions applicable to a particular role. User accounts must be associated with a role and every user account can only be associated with a single role. Permissions cannot be assigned directly to the user accounts and can only be acquired through the associated role. RBAC is the function of specifying access rights to resources for roles. When a user executes a command, privileges are evaluated to determine access to the command based on the role of the user. 64 Brocade Network OS Administrator s Guide

89 Role-based access control 8 The default roles have a predefined set of rules that cannot be modified by any user. The admin role has permission to execute all commands, while the user role has permission to execute all the show and show running-config commands. When any new role is created, it has all the permissions of the user role by default. NOTE With a new switch, only the admin user account has access to perform user and role management operations. The admin user can create any roles and configure those roles for access to user and role management operations. Rule management Command authorization is defined in terms of an ordered set of rules. A rule has the following CLI command syntax attributes: Index A numeric identifier of the rule. The valid range is from 1 through This field is mandatory. Role The name of the role for which the rule is defined. This field is mandatory. Operation Defines the type of operation. It has two values: read-only and read-write. This field is optional. The default value is read-write. Action Has two values: accept and reject. This field is optional. The default value is accept. Command The command on which access is defined. Commands are separated by spaces. RBAC support is provided only for the copy, clear, interface, and protocol commands, as shown in the following examples. rule 70 action accept operation read-write role NetworkAdmin command copy running-config rule 71 action accept operation read-write role NetworkAdmin command interface management rule 72 action accept operation read-write role NetworkAdmin command interface fcoe Rules can be created for a particular instance of interface tengigabitethernet or interface fcoe, as shown in the following examples. rule 60 action accept operation read-write role NetworkAdmin command interface tengigabitethernet 0/4 rule 65 action accept operation read-write role NetworkAdmin command interface fcoe 0/4 A rule created with the no-operation operand does not enforce authorization rules. The no-operation operand can be used as a placeholder for a valid operand that will be added later, as shown in the following example. rule 75 action reject operation read-write role NetworkAdmin command no-operation Brocade Network OS Administrator s Guide 65

90 8 Role-based access control Rules for configure commands Configuration data of a particular command can be displayed by using the show running-config command. By default, every role can access all the show running-config commands. For the non-default roles, even the permission to access the show running-config commands can be modified by the authorized user (admin). The user must have the read-write permission for the configure command to execute any of the configuration commands. The following rules govern configuration commands: If a role has a rule with a read-write operation and the accept action for a configuration command, the user associated with this role can execute the command and read the configuration data. If a role has a rule with a read-only operation and the accept action for a configuration command, the user associated with this role can only read the configuration data of the command. If a role has a rule with a read-write operation and the reject action for a configuration command, the user associated with this role cannot execute the command and can read the configuration data of the command. Rules for operational commands Rules can be created for the specified operational commands. By default, every role can display all the operational commands but cannot execute them. The show commands can be accessed by all the roles. The following rules govern operational commands: If a role has a rule with a read-write operation and the accept action for an operational command, the user associated with this role can execute the command. If a role has a rule with a read-only operation and the accept action for an operational command, the user associated with this role can access but cannot execute the command. If a role has a rule with a read-write operation and the reject action for an operational command, the user associated with this role can neither access nor execute the command. Rules for interface key-based commands Rules can be created for a specific instance of the TE and FCoE interface-related configuration commands. Users can access the configuration data of all the interface instances using the show running-config interface te and show running-config interface fcoe commands. The following rules govern interface key-based commands: If a role has a rule with a read-write operation and the accept action for only a particular instance of the interface, the user associated with this role can only modify the attributes of that instance. If a role has a rule with a read-only operation and the accept action for only a particular instance of the interface, the user associated with this role can only read (using the show running-config command) the data related to that instance of the interface. By default, every role has the permission to read the configuration data related to all instances of the interfaces using the show running-config interface te and show running-config interface fcoe commands. 66 Brocade Network OS Administrator s Guide

91 Role-based access control 8 If a role has a rule with a read-write operation and the reject action for only a particular instance of the interface, the user associated with this role cannot execute and read the configuration data for that interface instance. If a role has a rule with read-write operation and the reject action for interface tengigabitethernet and fcoe instances, the user associated with this role cannot perform clear and show operations related to those instances. To perform clear and show operations related to interface tengigabitethernet and fcoe instances, the user must have at least read-only accept permission. By default, every role has the read-only, accept permission for all the interface instances. In the following example, the user associated with the NetworkAdmin role cannot perform some of the clear and show operations related to all tengigabitethernet instances. rule 30 role NetworkAdmin action reject command interface tengigabitethernet With the above rule, the user cannot access the following commands: clear arp-cache tengigabitethernet 1/0/1 no-refresh clear counters interface tengigabitethernet 1/0/1 clear dot1x statistics interface tengigabitethernet 1/0/1 clear fcoe login interface tengigabitethernet 1/0/1 clear ip igmp groups interface tengigabitethernet 1/0/1 clear lldp neighbors interface tengigabitethernet 1/0/1 clear lldp statistics interface tengigabitethernet 1/0/1 clear mac-address-table dynamic interface tengigabitethernet 1/0/1 clear spanning-tree counter interface tengigabitethernet 1/0/1 clear spanning-tree detected-protocols interface tengigabitethernet 1/0/1 show arp tengigabitethernet 1/0/1 show dot1x diagnostics interface tengigabitethernet 1/0/1 show dot1x session-info interface tengigabitethernet 1/0/1 show dot1x statistics interface tengigabitethernet 1/0/1 show ip igmp groups interface tengigabitethernet 1/0/1 show lldp interface tengigabitethernet 1/0/1 show lldp neighbors interface tengigabitethernet 1/0/1 show lldp statistics interface tengigabitethernet 1/0/1 show mac access-group interface tengigabitethernet 1/0/1 show mac-address-table count dynamic interface tengigabitethernet 1/0/1 show mac-address-table count interface tengigabitethernet 1/0/1 show mac-address-table dynamic interface tengigabitethernet 1/0/1 show mac-address-table interface tengigabitethernet 1/0/1 show mac-address-table linecard interface tengigabitethernet 1/0/1 show mac-address-table static interface tengigabitethernet 1/0/1 show media interface tengigabitethernet 1/0/1 show port port-channel tengigabitethernet 1/0/1 show port-profile interface tengigabitethernet 1/0/1 Brocade Network OS Administrator s Guide 67

92 8 Role-based access control show qos flowcontrol interface tengigabitethernet 1/0/1 show qos interface tengigabitethernet 1/0/1 show qos queue interface tengigabitethernet 1/0/1 show qos rcv-queue interface tengigabitethernet 1/0/1 show qos rcv-queue multicast tengigabitethernet 1/0/1 show sflow interface tengigabitethernet 1/0/1 show spanning-tree interface tengigabitethernet 1/0/1 show spanning-tree mst detail interface tengigabitethernet 1/0/1 show spanning-tree mst interface tengigabitethernet 1/0/1 show statistics access-list interface tengigabitethernet 1/0/1 The dot1x option under the interface instance sub mode can only be configured if the role has the read-write and accept permissions for both the dot1x command and interface te instances. For example: rule 16 action accept operation read-write role cfgadmin command interface tengigabitethernet rule 17 action accept operation read-write role cfgadmin command dot1x switch(config)# interface TenGigabitEthernet 1/0/1 switch(conf-if-te-1/0/1)#? Possible completions: cee Apply default CEE map 'default' channel-group LACP channel commands description Interface specific description do Run an operational-mode command dot1x IEEE 802.1X Port-Based Access Control exit Exit from current mode fabric Fabric Protocol fcoeport Configure the port to be an FCOE port help Provide help information ip The Internet Protocol (IP). lacp LACP commands lldp The Link Layer Discovery Protocol(LLDP). mac Configure MAC parameters mtu Set mtu value to interface no Negate a command or set its defaults port-profile-port Set the interface to AMPP profile mode pwd Display current mode path qos Quality of Service (QoS) rmon Remote Monitoring Protocol (RMON) sflow SFlow shutdown Shutdown the selected interface speed Set speed informational parameter switchport Set the switching characteristics of the Layer2 interface top Exit to top level and optionally run command vepa Enable vepa to support U-turn of the traffic on the selected interface vlan Vlan commands 68 Brocade Network OS Administrator s Guide

93 Role-based access control 8 To perform the no vlan and no spanning-tree commands under the submode of interface tengigabitethernet instances, the user must have the read-write, accept permission for vlan and protocol spanning-tree commands. By default, every role including the user role has the read-only, accept permission for all interface instances. Default roles The default roles have a predefined set of rules that cannot be modified by any user. The admin role has permission to execute all commands. Certain commands (primarily for administrative purposes) are accessible only to the admin role. The following commands are available to the user role. show show running-config NOTE On creation, a new role has all the permissions of the user role by default. Rules processing When a user executes a command, rules are searched in ascending order for an index-based match and the action of the first matching rule is applied (please read the next paragraph for the exception). If none of the rules match, that command cannot be executed. If there are conflicting permissions for a role in different indices, the switch considers the rule with lowest index. When a match is found for a rule with the read-only operation, and the accept action, the system goes further to find if there are any rules with the read-write operation, and the accept action. Then the later rule (read-write operation with accept action) will be applicable to that role. In the following example, Rule 11 is applicable for the role NetworkAdmin to access the command aaa. switch(config)# rule 9 operation read-only action accept role NetworkAdmin command aaa switch(config)# rule 11 operation read-write action accept role NetworkAdmin command aaa In the following example, rule 9 is applicable for the role NetworkAdmin to access the command aaa: switch(config)# rule 9 operation read-only action accept role NetworkAdmin command aaa switch(config)# rule 11 operation read-write action reject role NetworkAdmin command aaa Brocade Network OS Administrator s Guide 69

94 8 Role-based access control Adding a rule The maximum number of total rules is Enter the configure terminal command. 2. Enter the rule command. NOTE The role and command fields are mandatory; the action and operation fields are optional. switch(config)# rule 150 action accept operation read-write role NetworkAdmin command config switch(config)# rule 155 action accept operation read-write role NetworkAdmin command username After creating the rules, account NetworkSecurityAdminUser can log in to the switch and create or modify the user accounts preceding with the username command. switch login: NetworkSecurityAdminUser Password: Welcome to the ConfD CLI NetworkSecurityAdminUser connected from using console on switch switch# config Entering configuration mode terminal Current configuration users: admin console (cli from ) on since :35:05 terminal mode switch(config)# username testuser role user password testpassword Changing a rule 1. Enter the rule command. NOTE All fields except rule index are optional. switch(config)# rule 155 command role After changing the rule 155, now account NetworkSecurityAdminUser can log in to the switch and execute the role command and not the username command. switch login: NetworkSecurityAdminUser Password: Welcome to the ConfD CLI NetworkSecurityAdminUser connected from 127.x.x.x using console on switch switch# config Entering configuration mode terminal Current configuration users: admin console (cli from ) on since :35:05 terminal mode switch(config)# role name NetworkAdmin 70 Brocade Network OS Administrator s Guide

95 Role-based access control 8 Deleting a rule 1. Enter the configure terminal command. 2. Enter the no rule command. switch(config)# no rule 155 After deleting rule 155, account NetworkSecurityAdminUser cannot access the role command. Displaying a rule Enter the show running-config rule command. switch# show running-config rule rule 30 action accept operation read-write role NetworkSecurityAdmin rule 30 command role rule 31 action accept operation read-write role NetworkSecurityAdmin rule 31 command rule rule 32 action accept operation read-write role NetworkSecurityAdmin rule 32 command username rule 33 action accept operation read-write role NetworkSecurityAdmin rule 33 command aaa rule 34 action accept operation read-write role NetworkSecurityAdmin rule 34 command radius-server rule 35 action accept operation read-write role NetworkSecurityAdmin rule 35 command configure rule 40 action accept operation read-write role FCOEAdmin rule 40 command "interface fcoe" switch# show running-config rule 32 rule 32 action accept operation read-write role NetworkSecurityAdmin rule 32 command username Role management for network security administration 1. Create a network security admin role. switch(config)# role name NetworkSecurityAdmin desc Manages security CLIs 2. Create a network security user account associated with the newly-created role. switch(config)# username NetworkSecurityAdmin User role NetworkSecurityAdmin password testpassword 3. Create a network security admin rule. switch(config)# rule 30 action accept operation read-write role NetworkSecurityAdmin command role switch(config)# exit switch(config)# rule 31 action accept operation read-write role NetworkSecurityAdmin command rule switch(config)# exit Brocade Network OS Administrator s Guide 71

96 8 Role-based access control switch(config)# rule 32 action accept operation read-write role NetworkSecurityAdmin command username switch(config)# exit switch(config)# rule 33 action accept operation read-write role NetworkSecurityAdmin command aaa switch(config)# exit switch(config)# rule 34 action accept operation read-write role NetworkSecurityAdmin command radius-server switch(config)# exit switch(config)# rule 35 action accept operation read-write role NetworkSecurityAdmin command config switch(config)# exit The NetworkSecurityAdminuser account that is associated with the NetworkSecurityAdmin role can now perform the user management, role management, and rule management operations. Role management for FCoE administration 1. Create an FCoE admin role. switch(config)# role name FCOEAdmin desc "Manages FCOE" switch(config-name-fcoeadmin)# exit 2. Create an FCoE admin user account. switch(config)# username FCOEAdmUser role FCOEAdmin password testpassword 3. Create rules. switch(config)# rule 40 action accept operation read-write role FCOEAdmin command interface fcoe The FCOEAdmUser account that is associated with the FCoEAdmin role can now perform the FCoE operations. 72 Brocade Network OS Administrator s Guide

97 RADIUS 8 RADIUS RADIUS is used to manage authentication, authorization, and accounting (AAA) services centrally. The supported management access channels that integrate with RADIUS are serial port, Telnet, and SSH. Authentication and accounting When a Brocade switch is configured with a set of RADIUS servers to be used for authentication, the switch also sends accounting data to the RADIUS server implicitly. The only events that are counted are successful login and logout of the RADIUS user. NOTE If the RADIUS server is not configured to support accounting, the accounting events sent by the switch to the server will be dropped. Authorization The access control of RADIUS users is enforced by RBAC on the switch; therefore, a RADIUS server should be assigned a role that is present on the switch using the Vendor Specific Attribute (VSA) Brocade-Auth-Role. After the RADIUS user is successfully authenticated, if the role assigned to the RADIUS server is not present on the switch, the user is assigned the user role. Account password changes All existing mechanisms for managing switch-local user accounts and passwords remain functional when the switch is configured to use RADIUS. Changes made to the switch-local database do not propagate to the RADIUS server, nor do the changes affect any account on the RADIUS server; therefore, changes to a RADIUS user password must be done on the RADIUS server. RADIUS server parameters The following parameters are associated with a RADIUS server that is configured on the switch. You can configure a maximum of five RADIUS servers on a Brocade switch for AAA service using the CLI command syntax. host The IP address. Options include IPv4 or IPv6. auth-port The UDP port used to connect the RADIUS server for authentication. Options are from 1 through 65535, and the default value is protocol The authentication protocol to be used. Options include CHAP, PAP, and PEAP-MSCHAP, and the default value is CHAP. IPv6 hosts are not supported if PEAP-MSCHAP is the configured protocol parameter. key The shared secret between the switch and the RADIUS server. The default value is sharedsecret. The key cannot contain spaces and must be from 8 through 40 characters in length. timeout The time to wait for a server to respond. Options are from 1 through 60 seconds, and the default value is 5 seconds. Brocade Network OS Administrator s Guide 73

98 8 RADIUS retransmit The number of retries to connect to a RADIUS server. Options are from 0 through 100, and the default value is 5. NOTE If you do not configure the key attribute, the authentication session will not be encrypted. The value of key must match the value configured in the RADIUS configuration file; otherwise, the communication between the server and the switch fails. Adding a RADIUS server You must configure the domain name server (DNS) on the switch prior to adding the RADIUS server with a domain name or a host name. Without the DNS, name resolution of the RADIUS server fails and therefore the add operation fails. 1. Enter the configure terminal command. 2. Enter the radius-server command. switch(config)# radius-server host? Possible completions: <hostname: IP Address or Hostname of this RADIUS server> switch(config)# radius-server host switch(config)# radius-server host ? Possible completions: auth-port UDP Port for Authentication (default=1812) protocol Authentication protocol to be used (default=chap) key Secret shared with this server (default= sharedsecret ) retransmit Number of retries for this server connection (default=5) timeout Wait time for this server to respond (default=5 sec) switch(config)# radius-server host switch(config)# radius-server host protocol chap? Possible completions: auth-port UDP Port for Authentication (default=1812) key Secret shared with this server (default= sharedsecret ) retransmit Number of retries for this server connection (default=5) timeout Wait time for this server to respond (default=5 sec) <cr> switch(config)# radius-server host protocol chap retransmit? Possible completions: <0-100> [5] switch(config)# radius-server host protocol chap retransmit 100 switch(config-radius-server )# switch(config)# radius-server host protocol pap key new#virgo*secret timeout 10 switch(config-host )# 74 Brocade Network OS Administrator s Guide

99 RADIUS 8 Changing a RADIUS server Using the no form of the radius-server host command sets the default values of the parameters. Use the radius-server host command to change the RADIUS server host name or IP address and the key string. 1. Enter the configure terminal command. 2. Enter the radius-server host command. switch(config)# radius-server host? Possible completions: <hostname: IP Address or Hostname of this RADIUS server> 10.xx.xx.xxx 10.xx.xx.x switch(config)# radius-server host 10.xx.xx.xxx switch(config-host-10.xx.xx.xxx)# key? Possible completions: <string>[new#virgo*secret] switch(config-host-10.xx.xx.xxx)# key changedsec switch(config-host-10.xx.xx.xxx)# no timeout Displaying a RADIUS server NOTE Attributes with default values are not displayed. 1. Enter the show running-configuration radius-server command. switch# show running-configuration radius-server host? Possible completions: 10.xx.xx.xxx IP Address or Hostname of this RADIUS server 10.xx.xx.x IP Address or Hostname of this RADIUS server switch# show running-config radius-server host 10.xx.xx.x radius-server host 10.xx.xx.x key new#vcs*secret retransmit 100 timeout 3 switch# switch# show running-config radius-server host 10.xx.xx.xxx radius-server host 10.xx.xx.xxx protocol pap key changedsec timeout 3 Brocade Network OS Administrator s Guide 75

100 8 TACACS+ Deleting a RADIUS server 1. Enter the configure terminal command. 2. Enter the no radius-server command. switch(config)# no radius-server 10.xx.xx.x switch(config)# exit switch# show running-config radius-server host radius-server host 10.xx.xx.xxx auth-port 1812 protocol chap key changedsec retransmit 5 timeout 3 TACACS+ The Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol used in AAA server environments that consist of a centralized authentication server and multiple Network Access Servers (NAS) or clients. With TACACS+ support, management of Brocade switches seamlessly integrates into these environments. Once configured to use TACACS+, a Brocade switch becomes a Network Access Server (NAS). NOTE Whereas RADIUS combines authentication and authorization in a user profile, TACACS+ separates the two services. A Brocade switch configured to perform TACACS+-based authentication supports its access through a serial port, Telnet, and SSH. All these access channels require that users know the switch IP address or name to connect to switches. The switch uses only its management IP address. Its virtual IP address of VCS is not used for the TACACS+ server during authentication. The authentication protocols supported for users authentication are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). The TACACS+ server is used only for authentication. A role should be assigned to a user configured on the TACACS+ server and configured on the switch. If the switch fails to get the user s role from the TACACS+ server after successful authentication, or if the role does not match any of the roles present on the switch, the user role is assigned by default. Thereafter, the role obtained from the TACACS+ server (or the defaulted role) is used for RBAC. TACACS+ server parameters The following parameters are associated with a TACACS+ server that is configured on the switch. A maximum of five TACACS+ servers can be configured on a Brocade switch for authentication service using the CLI command syntax. host The IP address (IPv4) of the TACACS+ server. port The TCP port used to connect the TACACS+ server for authentication. The default is 49. protocol The authentication protocol to be used for authentication. The default is CHAP. 76 Brocade Network OS Administrator s Guide

101 TACACS+ 8 key The shared secret between the switch and the server to make the message exchange secure. The value is sharedsecret. The key cannot contain spaces and must be from 8 through 40 characters in length. timeout The time to wait for a server to respond. Options are from 1 through 60 seconds, and the default value is 5 seconds. retries The number of retries to connect to a TACACS+ server. Options are from 0 through 100, and the default value is 5. NOTE If you do not configure the key attribute, the authentication session will not be encrypted. The value of key must match with the value configured in the TACACS+ configuration file; otherwise, the communication between the server and the switch fails. Adding a TACACS+ server 1. Enter the configure terminal command. 2. Enter the tacacs-server host command. switch(config)# tacacs-server host? Possible completions: <hostname: IP Address or Hostname of this TACACS+ server> switch(config)# tacacs-server host ? Possible completions: port TCP Port for Authentication (default=49) protocolauthentication protocol to be used (default=chap) retriesnumber of retries for this server connection (default=5) timeoutwait time for this server to respond (default=5) <cr> switch(config)# tacacs-server host switch(config)# tacacs-server host protocol chap? Possible completions: port TCP Port for Authentication (default=49) retriesnumber of retries for this server connection (default=5) timeoutwait time for this server to respond (default=5) switch(config)# tacacs-server host protocol chap switch(config)# tacacs-server host protocol chap retries? Possible completions: <0-100> switch(config)# tacacs-server host protocol chap retries 100 switch(config-tacacs-server )# switch(config)# tacacs-server host protocol chap key new#virgo*secret Brocade Network OS Administrator s Guide 77

102 8 TACACS+ Changing a TACACS+ server Use the tacacs-server host command to change the TACACS+ server host name or IP address and the key string. 1. Enter the configure terminal command. 2. Enter the tacacs-server host command. switch(config)# tacacs-server host? Possible completions: <hostname: IP Address or Hostname of this TACACS+ server> 10.xx.xx.xxx 10.xx.xx.x switch(config)# tacacs-server host 10.xx.xx.xxx switch(config-host-10.xx.xx.xxx)# key? Possible completions: <string>[##tac*plus&secret] switch(config-host-10.xx.xx.xxx)# key changedsec Displaying a TACACS+ server NOTE Attributes with default values are not displayed. Enter the show running-config tacacs-server host command. switch# show running-config tacacs-server host? Possible completions: 10.xx.xx.xxx IP Address or Hostname of this TACACS+ server 10.xx.xx.x IP Address or Hostname of this TACACS+ server switch# show running-config tacacs-server host 10.xx.xx.x tacacs-server host 10.xx.xx.x key new#virgo*secret retries 100! switch# switch# show running-config tacacs-server host 10.xx.xx.xxx tacacs-server host 10.xx.xx.xxx key changedsec 78 Brocade Network OS Administrator s Guide

103 Login authentication 8 Deleting a TACACS+ server Enter the no tacacs-server host command. NOTE Using the no form of the tacacs-server host command sets the default values of the parameters. switch(config)# no tacacs-server host 10.xx.xx.x switch(config)# exit switch# show running-config tacacs-server host Possible completions: 10.xx.xx.xxx IP Address of this TACACS+ server <cr> switch# show running-config tacacs-server host 10.xx.xx.xxx tacacs-server host 10.xx.xx.xxx key changedsec! switch# config switch(config)# no tacacs-server host 10.xx.xx.xxx key switch(config)# exit switch# show running-config tacacs-server host 10.xx.xx.xxx tacacs-server host 10.xx.xx.xxx! switch# config switch(config)# tacacs-server host 10.xx.xx.xxx key? <string> [sharedsecret] Login authentication Authentication mode is defined as the order of authentication sources to be used for user authentication (the login process). Two sources of authentication are supported: primary and secondary. The secondary source of authentication is used in the event of primary source failover and is optional for configuration. There are three possible sources: Local the default source. RADIUS TACACS+ NOTE You can set the authentication mode, but you cannot add a new authentication mode or delete an existing authentication mode. When the Authentication, Authorization, and Accounting (AAA) mode is changed, an appropriate message is broadcast to all logged-in users and the active login sessions end. If the primary source is set to an external AAA type (RADIUS or TACACS+) and the secondary source is not configured, the following events occur: For Telnet-based and SSH connections based logins, the login authentication fails either if none of the configured (primary source) AAA servers respond or if an AAA server rejects the login. For a serial port (console) connection-based login, if a user s login fails for any reason with the primary source, then failover happens and the same user credentials are used for login through the local source. This failover is not explicit. Brocade Network OS Administrator s Guide 79

104 8 Login authentication If the primary source is set to an external AAA type, and the secondary source is configured to be local (for example, aaa authentication login radius local), then, if login fails through the primary source either because none of the configured servers are responding or the login is rejected by a server, failover happens and authentication occurs again through the secondary source (local). Conditions for conformance If the first source is specified as default, do not specify a second source. A second source signals a request to set the login authentication mode to its default value, which is local. If the first source is local, the second source cannot be set to any value (except only) because the failover will never occur. The source of authentication (except local) and the corresponding server type configuration are dependent on each other. Therefore, there should be at least one server configured before that server type can be specified as a source. If the source is configured to be a server type, then you can not delete a server of that type if it is the only server in the list. For example, if there are no entries in tacacs-server, the authentication mode cannot be set to tacacs+ or tacacs+ local. Similarly, when the authentication mode is radius or radius local, a RADIUS server cannot be deleted if it is the only one in the list. Authentication limitations You cannot change the authentication mode from tacacs+ local to tacacs+ or from radius local to radius. The workaround is to remove AAA and then set it to the correct value. 1. Enter the no aaa authentication login command. 2. Enter the aaa authentication login tacacs+ command or the aaa authentication login radius command. Setting the authentication mode Enter the aaa authentication login command. switch(config)# aaa authentication login? Possible completions: default local radius tacacs+ switch(config)# aaa authentication login tacacs+? Possible completions: local switch(config)# aaa authentication login tacacs+ local Displaying the authentication mode Enter the show running-config aaa command. switch# show running-config aaa aaa authentication login tacacs+ local 80 Brocade Network OS Administrator s Guide

105 Passwords 8 Setting the authentication mode to the default Enter the no aaa authentication login command. switch(config)# no aaa authentication login switch(config)# exit switch# show running-config aaa aaa authentication login local Passwords The password strength policy enforces a set of rules that new passwords must satisfy. The password strength policy is enforced only when a new password is defined and enforced across all local user accounts, and is comprised of the following set of character restrictions: Lowercase Specifies the minimum number of lowercase alphabetic characters that must occur in the password. The maximum value must be less than or equal to the MinLength value. The default value is zero, which means there is no restriction of lowercase characters. Uppercase Specifies the minimum number of uppercase alphabetic characters that must occur in the password. The maximum value must be less than or equal to the MinLength value. The default value is zero, which means there is no restriction of uppercase characters. Digits Specifies the minimum number of numeric digits that must occur in the password. The maximum value must be less than or equal to the MinLength value. The default value is zero, which means there is no restriction of numeric digits. Punctuation Specifies the minimum number of punctuation characters that must occur in the password. All printable, non-alphanumeric punctuation characters except colon (:) are allowed. The value must be less than or equal to the MinLength value. The default value is zero, which means there is no restriction of punctuation characters. MinLength Specifies the minimum length of the password. Passwords must be from 8 through 32 characters in length. The default value is 8. The total of the previous four parameters (lowercase, uppercase, digits, and punctuation) must be less than or equal to the MinLength value. When a password fails more than one of the strength attributes, an error is reported for only one of the attributes at a time, in the order the attributes are described previously. Password account lockout The account lockout policy disables a user account when the user exceeds a configurable number of failed login attempts. The mechanism can be configured to keep the account locked until explicit administrative action is taken to unlock the account or the locked account may be automatically unlocked after a specified period. An administrator can unlock a locked account at any time. A failed login attempt counter is maintained for each user. The counters for all user accounts are reset to zero when the account lockout policy is enabled. The counter for an individual account is reset to zero on any successful login attempt. Maximum retries and the lockout threshold can be configured on a Brocade switch using the CLI command syntax. Brocade Network OS Administrator s Guide 81

106 8 Passwords Max Retry (the lockout threshold) specifies the number of times a user can specify an incorrect password during login before the account is locked. The number of failed login attempts is counted from the last successful login. Lockout Threshold can be set to a value from 0 through 16. Setting this parameter to zero disables the lockout mechanism. The default value is 0. The account lockout policy is enforced across all user accounts except the root and admin accounts. When a user account is locked, it can be unlocked using Unlocking a user account on page 64. Password interaction with external servers The password policies apply to local switch authentication only. External AAA servers such as RADIUS and TACACS+ provide independent password-enforcement mechanisms. The password management commands operate on the local password database only, even when the switch is configured to use RADIUS or TACACS+ authentication. When so configured, RADIUS or TACACS+ authentication is applied to login only. When RADIUS or TACACS+ authentication is enabled, an administrator can still perform user and password management functions on the local password database. Setting password attributes 1. Enter the configure terminal command. 2. Enter the password-attributes command. switch(config)# password-attributes switch(config-password-attributes)# min-length 8 max-retry 4 switch(config-password-attributes)# character-restriction lower 2 switch(config-password-attributes-character-restriction)# upper 1 switch(config-password-attributes-character-restriction)# numeric 1 special-char 1 Default password attributes Using the no form of the password-attributes command sets the default values of the individual attributes. 1. Enter the configure terminal command. 2. Enter the no password-attributes command. switch(config)# no password-attributes min-length switch(config)# password-attributes max-retry 4 switch(config)# no password-attributes 82 Brocade Network OS Administrator s Guide

107 Passwords 8 Displaying password attributes NOTE Attributes with default values are not displayed. 1. Enter the configure terminal command. 2. Enter the show running-config password-attributes command. switch(config)# password-attributes? Possible completions: character-restriction Set restriction on various types of character max-retry Maximum number of login retires before which the user account is locked. min-length Minimum length of the password. switch(config)# password-attributes max-retry 4 switch(config)# password-attributes character-restriction lower 2 switch(config)# password-attributes character-restriction upper 1 numeric 1 special-char 1 switch(config)# exit switch# show running-config password-attributes password-attributes max-retry 4 password-attributes character-restriction upper 1 password-attributes character-restriction lower 2 password-attributes character-restriction numeric 1 password-attributes character-restriction special-char 1 switch# configure switch(config)# no password-attributes character-restriction lower switch(config)# no password-attributes character-restriction upper switch(config)# exit switch# show running-config password-attributes password-attributes max-retry 4 password-attributes character-restriction numeric 1 password-attributes character-restriction special-char 1 switch# configure switch(config)# no password-attributes switch(config)# exit switch# show running-config password-attributes % No entries found. switch# Brocade Network OS Administrator s Guide 83

108 8 Passwords 84 Brocade Network OS Administrator s Guide

109 SNMP Chapter 9 In this chapter SNMP community strings SNMP server hosts Simple Network Management Protocol (SNMP) is a standard method for monitoring and managing network devices. Every Brocade switch carries an SNMP agent and management information base (MIB). SNMP is a set of protocols for managing complex networks. SNMP sends messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. Restricting SNMP access using ACL, VLAN, or a specific IP address constitute the first level of defense when the packet arrives at a Brocade device. The next level uses community string matches for SNMP versions 1 and 2. For details on Brocade MIB files, naming conventions, loading instructions, and information about using Brocade's SNMP agent, see the Network OS v2.0.0 MIB Reference. SNMP community strings SNMP versions 1 and 2c use community strings to restrict SNMP access. There are six default community strings configured for the user: three read-write strings and three read-only strings. NOTE You can specify one of the six default community strings when the system first comes up. If you create a new community string, you must delete one of the six default strings to make space for the new one. The following community strings are read-write: Secret Code OrigEquipMfr private The following community strings are read-only: public common ConvergedNetwork Brocade Network OS Administrator s Guide 85

110 9 SNMP community strings Adding an SNMP community string The snmp-server community command sets the community string and read-write or read-only access for each community. Use this command to manage the configuration of the SNMP agent in the switch. The configuration includes SNMPv1 and SNMPv2c configuration settings. You can execute SNMP server commands in global configuration mode. 1. Enter the configure terminal command. 2. Enter the snmp-server community string [ro rw] command. For example: switch(config)#snmp-server community private rw The string parameter specifies the community string name. The string can be up to 32 characters long. The ro or rw parameter specifies whether the string is read-only (ro) or read-write (rw). The command in the example above adds the read-write SNMP community string private with read-write access. Removing an SNMP community string The following example removes the community string public : 1. Enter the configure terminal command. 2. Enter the no snmp-server community command. For example: switch(config)#no snmp-server community private ro Changing the access of a read-only community string to read-write The following example changes the access of user123 from read-only to read-write. 1. Enter the configure terminal command. 2. Enter the snmp-server community user123 rw command. Displaying the SNMP community strings To display the configured community strings, enter the following command at any CLI level. switch# show running-config snmp-server 86 Brocade Network OS Administrator s Guide

111 SNMP server hosts 9 SNMP server hosts The snmp-server host command sets the trap destination IP addresses, SNMP version, community string for SNMP version 1 and 2c, and the destination port for the SNMP server host. To configure SNMP trap hosts associated with community strings, you must create the community string using the snmp-server community command before configuring the host. The agent supports six communities and their associated trap recipients and trap recipient severity levels. The default value for the trap recipient of each community is The length of the community string should be in the range of 2 to 16 characters. The default values for the community strings are: <community:word> Community strings used to query MIB objects. ConvergedNetwork read-only OrigEquipMfr read-write Secret C0de read-write common read-only private read-write public read-only NOTE To add any new community string for SNMPv1 or v2c under one of the read-only or read-write groups, one of the six entries listed above must be deleted. Setting the SNMP server host You can execute SNMP server commands in global configuration mode. 1. Enter the configure terminal command. 2. Enter the snmp-server server host ipv4_host community string [version {1 2c} ] [udp-port port] command. The ipv4_host parameter specifies the IP address of the host. Only IPv4 hosts are supported. The community-string sets the community string. The version selects SNMPv1 or SNMPv2c-related configuration parameters. These parameters include the community string. The default SNMP version is 1. The udp-port parameter specifies the UDP port where SNMP traps will be received. The default port is 162. The acceptable range of ports is 0 through The following example sets up commaccess as a read-only user and sets as a trap recipient with SNMP version 2c on target port 162: switch(config)#snmp-server host commaccess version 2c udp-port 162 Brocade Network OS Administrator s Guide 87

112 9 SNMP server hosts Setting the SNMP server contact Use this command to set the SNMP server contact string. The default contract string is Field Support. 1. Enter the configure terminal command. 2. Enter the snmp-server contact string. The following example changes the default contact string to Operator You must enclose the text in double quotes if the text contains spaces. switch(config)# snmp-server contact Operator Setting the SNMP server location Use this command to set the SNMP server location string. The default SNMP server location string is End User Premise. 1. Enter the configure terminal command. 2. Enter the snmp-server location string command. The following example changes the default location string to Building 3, Room 214. You must enclose the text in double quotes if the text contains spaces. switch(config)# snmp-server location Building 3 Room 214 Displaying SNMP configurations Use this command to display the current SNMP configurations for the SNMP host, community string, contact, and location. There are no default configurations for this command. This command can only be executed in Privileged EXEC command mode. Enter the show running-config snmp-server command. switch# show running-config snmp-server 88 Brocade Network OS Administrator s Guide

113 Fabric Chapter 10 In this chapter TRILL VCS fabric formation VCS fabric configuration Fabric ISL configuration TRILL A VCS Ethernet fabric is defined as a group of switches that exchange information among each other to implement distributed intelligence. The Brocade Ethernet fabric uses Transparent Interconnection of Lots of Links (TRILL) protocol, designed for the sole purpose of scaling Ethernet networks by allowing a set of devices, called routing bridges (RBridges), to connect with each other. A link state dynamic routing protocol, rather than Spanning Tree Protocol (STP), determines how the traffic is forwarded between the inter-connected RBridges. Link state routing in VCS-based TRILL networks is performed using Brocade s proven Fabric Shortest Path First (FSPF) protocol, which enables faster convergence when compared to STP. FSPF is used to: Dynamically compute routes throughout a fabric by establishing the shortest and quickest path between any two switches. Select an alternative path in the event of the failure of a given path. FSPF supports multiple paths and automatically computes an alternative path around a failed link. It provides a preferred route when two equal paths are available. TRILL enables Layer 2 networks to behave like routed Layer 3 IP networks. TRILL also defines native support for forwarding both unicast and multicast traffic, and therefore unifies support for both of these different classes of applications over a single transport. TRILL provides the capability to use multi-paths in an active-active mode, as compared to STP in forwarding-blocking mode. An active-active configuration eliminates traffic bottleneck and frees up bandwidth across the entire cluster. Brocade Network OS Administrator s Guide 89

114 10 VCS fabric formation VCS fabric formation The RBridge ID of a cluster unit is equal to the domain ID of a switch. RBridge ID assignment is implemented by leveraging the domain ID assignment protocols in the Fibre Channel SANs. Request for Domain ID (RDI) and Domain ID Assignment (DIA) protocols ensure that a single switch (the principal switch) is centrally allocating the domain IDs for every RBridge in the fabric and detecting and resolving any domain ID conflicts in the fabric. NOTE Network OS v2.0.0-based fabrics can have a maximum of 239 RBridges in a single VCS fabric. The following sequence of events describes the VCS fabric formation process: Each VCS fabric is identified by a VCS fabric ID. All Brocade VCS fabric-capable switches are configured with a factory default VCS ID of 1. The switch software searches for the VCS enable attribute. NOTE If the software cannot locate the VCS enable attribute, the switch goes into standalone mode and operates like an Ethernet switch. Assuming the switch is VCS fabric-enabled, the switch software invokes a series of protocols: - Brocade Link Discovery Process (BLDP) attempts to discover if a VCS fabric-capable switch is connected to any of the edge ports. Refer to Neighbor discovery on page 91 for more information. - BLDP attempts to merge the adjacent Brocade switch into the VCS fabric environment at the link level. A series of Fibre Channel fabric formation protocols (RDI, DIA, and FSPF) are initiated once a link level relationship has been established between two VCS neighbor switches. Refer to Fabric formation on page 91 for more information. How RBridges work RBridges find each other by exchanging link-state routing protocol Hello frames. Like all link-state routing protocol, TRILL Hello frames are transparently forwarded by bridges and are processed by RBridge ports. Using the information exchanged in the Hello frames, the RBridges on each link elect the designated RBridge for that link. The RBridge link state includes information such as VLAN connectivity, multicast listeners, multicast router attachment, claimed nicknames, and supported ingress-to-egress options. The designated RBridge specifies the appointed forwarder for each VLAN on the link (which could be itself) and the designated VLAN for inter-rbridge communication. The appointed forwarder handles native frames to and from that link in that VLAN. The Ingress RBridge function encapsulates frames from the link into a TRILL data frame. The Egress RBridge function decapsulates native frames destined for the link from the TRILL data frames. TRILL data frames with known unicast destinations are forwarded by RBridge hop. Multi-destination frames (broadcast, unknown unicast, and multicast) are forwarded on a tree rooted at an RBridge. 90 Brocade Network OS Administrator s Guide

115 VCS fabric formation 10 Unicast forwarding is handled by combining domain routing generated by FSPF and MAC-to-RBridge learning generated by MAC learning and a distributed MAC database. Multicast forwarding uses one tree rooted at the switch with the lowest RBridge ID. Neighbor discovery VCS fabric-capable neighbor discovery involves the following steps: Discovering whether the neighbor is a Brocade switch. Discovering whether the Brocade neighbor switch is VCS fabric-capable. Only VCS fabric-capable switches with the same VCS ID can form a virtual cluster switch. The default settings for Brocade switches are VCS fabric-capable and a VCS ID of 1. Brocade trunks Brocade trunks are the special proprietary link aggregation mechanisms built into the hardware to automatically aggregate multiple eligible links without any configuration. These link-aggregation methods are different from standards-based LACP protocol. The traffic is load-balanced among the trunk members by distributing frames in round-robin fashion. NOTE All ISL ports connected to the same neighbor Brocade switch attempt to form a trunk. For a successful trunk formation, all ports on the local switch must be part of the same port group and must be configured at the same speed. Rules for these trunks are similar to trunks on Brocade Fibre Channel switches: eight ports are allowed per trunk group. Fabric trunking is enabled by default. Refer to Disabling a fabric trunk on page 94 if you want to disable fabric trunking. Fabric formation VCS fabrics leverage proven Fibre Channel fabric protocols to build a TRILL fabric. The main functions of the fabric formation protocols are to: Assign the VCS fabric-wide unique RBridge IDs (domain ID assignment). Create the network topology database using link state routing protocol (Fabric Shortest Path First, or FSPF). FSPF calculates the shortest path routes to a destination RBridge. Distribute fabric multicast traffic. Fabric routing protocol After a domain ID is assigned to a switch, the Fabric Shortest Path First (FSPF) link state routing protocol begins to form adjacencies and collects topology and inter-connectivity information with its neighbors.a VCS fabric uses FSPF to calculate and elect a loop-free multicast tree rooted, by default at the switch, with the lowest RBridge ID. The multicast tree is calculated after the unicast routes are computed. Brocade Network OS Administrator s Guide 91

116 10 VCS fabric configuration VCS fabric configuration Use the vcs command to configure the VCS fabric parameters, VCS ID, and the switch RBridge ID, and to enable VCS fabric mode. You can set the VCS fabric parameters and enable VCS fabric mode at the same time, or you can enable VCS fabric and then perform the ID assignments separately. Complete the following configuration steps to add a new switch into a fabric. 1. Enable the VCS fabric by entering one of the following commands, based on your current configuration. If the VCS fabric is already enabled, enter the vcs rbridge ID rbid command. Valid RBridge IDs are 1 through 239. All user-assigned RBridge IDs must be unique. If the VCS fabric is disabled, enter the vcs rbridgeid rbid enable command. If you want to set a non-default VCS ID and the VCS fabric is already enabled, enter the vcs rbridgeid rbid vcsid vcsid command. If you want to set a non-default VCS ID and the VCS fabric is disabled, enter the vcs rbridgeid rbid vcsid vcsid enable command. 2. Choose a unique RBridge ID value for this switch based on the fabric the switch is joining. The switch remembers its RBridge ID once it has been assigned. 3. Reboot the system. The system clears the configuration and reboots automatically if you enter Y at the prompt. After the required reboot, the switch participates in the RBridge ID allocation protocol, which insists that the same value that was manually configured prior to reboot be allocated after reboot. NOTE The switch is not allowed into the fabric if there is a conflict; for example, if another switch with the same RBridge ID exists and is operational in the fabric. You have the opportunity to select a new RBridge ID using the same CLI. Each time you change the VCS fabric configuration, the switch resets to the default configuration and reboots automatically. Make sure to save the configuration before you issue any of the following vcs commands. vcs enable no vcs enable vcs rbridgeid # enable vcs vcsid # enable vcs vcsid # rbridgeid # enable 92 Brocade Network OS Administrator s Guide

117 VCS fabric configuration tasks 10 VCS fabric configuration tasks Table 8 lists additional commands you can enter to set up your VCS fabric environment. TABLE 8 VCS fabric configuration task examples VCS fabric configuration task Disable the switch, set the RBridge ID, and enable VCS fabric mode at the same time. Set the VCS ID and enable the VCS fabric mode at the same time. Disable the switch, set the VCS ID and the RBridge ID, and enable VCS fabric mode. Enable VCS Fabric mode (sets the RBridge ID to 1 and the VCS ID to 1), change the RBridge ID to 3 and the VCS ID to 1. Switch from Fabric Cluster mode to Standalone mode (Sets the RBridge ID to 1 and the VCS ID to 0). Display a VCS configuration. VCS fabric command example switch# vcs rbridgeid 3 enable switch# vcs vcsid 1 enable switch# vcs rbridgeid 3 vcsid 1 enable switch# vcs enable switch# vcs rbridgeid 3 switch# vcs vcsid 1 switch# no vcs enable switch# show vcs The show vcs command returns the state as disabled if the switch is in standalone mode. The show fabric all command cannot be issued in standalone mode. Fabric ISL configuration A physical interface in a VCS fabric can either be an edge port or a fabric port, but not both. The fabric ISL enable command controls the administrative state of an ISL between two cluster switches. The default setting of the ISL formation mode is enable; therefore, an ISL automatically forms between two cluster switches. Using the fabric isl enable command on an operational ISL has no effect. However, using the no fabric isl enable command on an interface toggles its link status and subsequently disables ISL formation. In addition, the no fabric isl enable command triggers the switch to inform its neighbor that the local interface is ISL-disabled. Upon receiving such information, a neighbor switch stops its ISL formation activity regardless of its current interface state. This activity leaves the ISL in an Admin Down state and the physical interface in an ISL Down state. NOTE A shutdown command on an operating ISL interface not only brings down the physical link but also its FSPF adjacency. The main difference between a shutdown command and a no fabric isl enable command is that the link stays up after a no fabric isl enable, while the link stays down after shutdown. Brocade Network OS Administrator s Guide 93

118 10 Fabric ISL configuration Disabling a fabric ISL The no fabric isl enable command sets the admin state of an ISL to Down. It does not affect the auto-discovery of an interface as an ISL. Ports between RBridges that share the same VCS ID always come up as ISLs. The no fabric isl enable command has no effect on an edge port. 1. To disable a Fabric ISL, enter the config-tengigabitethernet-x/x/x command, where x/x/x = switch/slot/port. 2. Enter the no fabric isl enable command. Fabric trunks The Network OS v2.0.0 supports Brocade trunks. The trunk formation does not require user intervention or configuration except enabling or disabling, which instructs the switch software to form a trunk at the global level or not. Disabling a fabric trunk Fabric trunking is enabled by default. Enter the no fabric trunk enable command to revert the ISL back to a standalone adjacency between two VCS fabric switches. To re-enable fabric trunking, enter the fabric trunk enable command. Broadcast, unknown unicast, and multicast forwarding Fabric Shortest Path First (FSPF) is the standard path selection protocol used by Fibre Channel fabrics. The FSPF feature is enabled by default on all Fibre Channel switches. FSPF automatically calculates the best path between any two switches in a fabric. All switches in a VCS fabric cluster share a single multicast tree rooted at the RBridge with the lowest RBridge ID. All broadcast, unknown unicast, and multicast (BUM) traffic between two edge RBridges is forwarded on this multicast tree inside the VCS fabric. The multicast tree includes all the RBridges in the VCS fabric. Multicast distribution tree-root selection Network OS v2.0.0 software supports the following distribution tree behaviors: By default, the root of the distribution tree is the switch with the lowest RBridge ID. The automated selection process does not require any user intervention. Each switch in the cluster optionally carries a multicast root priority. This priority setting overrides the automatically-selected multicast root. In deployments where a multicast root is required to be a specific switch that does not have the lowest RBridge ID, the priority setting on that switch can override the root selection. If there are two switches with the same priority, then the switch with the lower RBridge ID prevails. A back-up multicast root is preselected, which is the switch with the next highest priority or the lowest RBridge ID of the remaining switches that share the next highest priority. The back-up multicast root is automatically selected by all switches should the current multicast root fail. 94 Brocade Network OS Administrator s Guide

119 Fabric ISL configuration 10 Priorities The root of the tree is auto-selected as the switch with the lowest RBridge ID. For example, if you have a cluster with RBridge IDs 5, 6, 7, and 8, then 5 would be the root. If you then added RBridge ID 1 to this fabric, the tree would be recalculated with 1 as the root. In order to avoid this behavior, you can set a priority (default is 0). The highest priority overrides the lowest RBridge ID and becomes the root. For example, to build a fabric with RBridge ID 7 or 8 as the root, set their priorities to something higher than 0 (priority values range from 0 through 255). If there is a tie in priority, the lower RBridge ID is still chosen. For example, if RBridge ID 7 and 8 are both set to priority 10, 7 becomes the root. If 7 leaves the fabric, 8 becomes the root. If, at that point, 8 leaves the fabric, 1 becomes the root. Changing the RBridge ID priority To change the RBridge ID priority, enter the fabric route multicast rbridgeid command. switch(config)# fabric route mcast rbridgeid 7 priority 10 Displaying the running configuration The show running-config fabric route mcast command allows you to display fabric route multicast configuration information. The configuration currently effective on the switch is referred to as the running configuration. Any change made to the configuration while the switch is online is made to the running configuration. The running configuration is not persistent. NOTE To save configuration changes, you must save the running configuration file to a file, or you can apply the changes by copying the running configuration to the startup configuration. To display the running configuration, enter the show running-config fabric route mcast command. switch# show running-config fabric route mcast Brocade Network OS Administrator s Guide 95

120 10 Fabric ISL configuration 96 Brocade Network OS Administrator s Guide

121 Configuring AMPP Chapter 11 In this chapter AMPP overview Configuring AMPP port-profiles Monitoring AMPP profiles AMPP overview Server virtualization infrastructure associates a server-side Virtual Ethernet Bridge (VEB) port-profile to each Ethernet MAC address used by a Virtual Machine (VM) to access the network through a VEB port. If the VM is migrated from one physical server to another, the VEB s port-profile migrates with it, providing automated port-profile migration of the server s VEB ports that are associated with the VM. For environments where the server s virtualization infrastructure provides sufficient controls, automated port-profile migration approaches are fine. An example of such an environment is a high performance cluster that uses a Layer 2 network which is isolated from external networks through firewalls and security appliances. However, there is a gap between the access and Quality of Service (QoS) controls supported in external Layer 2 switches and the server virtualization infrastructure. External Layer 2 switches have more advanced controls compared to server VEB implementations. Some environments prefer the more advanced controls provided by external network switches. An example of such an environment is a multi-tier data center that has several types of applications, each with differing advanced network controls, running over the same Layer 2 network. In this type of environment, the network administrator often prefers the use of advanced access controls available in external switches. Layer 2 networks do not provide a mechanism for automatically migrating switch access and traffic controls associated with an end-point device when that device migrates from one switch to another. The migration may be physical, such as an operating system image (such as an application, middleware, operating system, and associated state) that is running BareMetal OS on one system and is migrated to another system. The migration may be also be virtual, such as an operating system image that is running over Hypervisor VMware on one system and is migrated to run over Hypervisor VMware on another system. The Brocade Auto Migrating Port Profile (AMPP) feature provides these advanced controls for maintaining and migrating these port-profile associations when a VM migrates across physical servers. Brocade Network OS Administrator s Guide 97

122 11 Configuring AMPP port-profiles Configuring AMPP port-profiles As shown in Figure 9, the default port-profile contains the entire configuration needed for a VM to get access to the LAN and SAN. Port-profile fcoe-profile vlan-profile QoS-profile Security-profile FIGURE 9 Port-profile contents In addition, all the combinations can be mixed up with some security rules grouped under a security-profile. NOTE A port-profile does not contain some of the interface level configurations, such as LLDP, SPAN, LAG, and so on. A port-profile operates as a self-contained configuration container. In other words, if a port-profile is applied on a completely new switch without any configuration, it is capable of configuring the interface s local configuration and starting to carry traffic. Any changes to the policies are immediately applied to the data plane. NOTE The fcoe-profile is only available on the default profile. User-defined port-profiles do not have access to the fcoe-profile. See Configuring FCoE profiles on page 101 for details. However, editing of the port-profile is not allowed once the port-profile is activated. Activation of the port-profile is mandatory when it is applied to a port. Life of a port-profile A port-profile during creation will go through multiple states. Life of a port-profile. The states of a port-profile are: Created This state specifies that a port-profile is created but may not be complete. When the port-profile is created or modified. Activated This state specifies that a port-profile is activated and is available for MAC->port-profile association. If the port-profile created is not complete then the activation fails; you must resolve any conflicts or dependencies and reactivate the port-profile. 98 Brocade Network OS Administrator s Guide

123 Configuring AMPP port-profiles 11 Associated This state specifies that one or more MAC addresses have been associated to this port-profile within the fabric. Applied This state indicates that the port-profile is applied on the profiled port where the associated MAC address appeared. In the absence of any signaling protocol, the system snoops the packet to detect if the associated MAC address has appeared on the profiled port. Configuration of two different port-profiles can co-exist on a profiled port, but if there is a conflict then the application of the later port-profile fails. Table 9 describes the AMPP events and the applicable failure behaviors. TABLE 9 AMPP event AMPP behavior and failure descriptions Applicable behavior and failures Create port-profile If the port-profile does not exist, then it is created. If it exists, then it is available for modification (if it is not yet activated). Activate port-profile If the port-profile configuration is not complete, activation fails. Unless the port-profile is activated, it is not applied on any switch port. If all the dependency validations succeed, the port-profile is in the ACTIVE state and is ready for association. De-activate port-profile This event removes the applied port-profile configuration from all the profiled-ports. De-activation is allowed even if there are MAC addresses associated with the port-profile. Modify port-profile Port-profile can be edited only in the pre-activation stage. The port-profile is set to the INACTIVE state if any conflicting attributes are configured, or some dependent configuration is not completed. Port-profile state is set as INACTIVE and any attempt to associate the port-profile to a MAC address may not be allowed. Associate MAC addresses to a port-profile De-associate MAC addresses from a port-profile If mapping already exists with another port-profile, AMPP does not allow a MAC address to be mapped to multiple port-profiles. If mapping does not exist, the port is configured to allow the MAC address with all the policies specified in the port-profile applied to that MAC address on that port or switch. If mapping exists, all the policies configured for a specific MAC address are removed from that port or switch. Deleting a port-profile An IN USE error is generated if the port-profile is in an activated state. AMPP forces you to de-activate the profile before deleting. If the port-profile is in an inactive state, then deletion of profile removes all the MAC associations as well. Modifying port-profile content when in an associated state Moving the VM MAC and notifying the fabric An IN USE error is generated if the port-profile is already activated. All policies associated to the port-profile ID are mapped on the MAC address and applied to the new port in the fabric. Unused port-profile You must manually remove the MAC address mapping to remove any MAC association. Brocade Network OS Administrator s Guide 99

124 11 Configuring AMPP port-profiles Configuring a new port-profile To support VM MAC address learning, the default port-profile is employed. The default profile is different from the other user-defined AMPP profiles: The port-profile ID (ppid) of the cannot be changed. The VLAN sub-profile cannot be modified. The QoS sub-profile and security-profile cannot be added. The default port-profile can not be activated. Brocade recommends that you create a new port-profile to accomodate your requirements. To configure a new port-profile, perform the following steps in privileged EXEC mode. 1. Create and configure a new port-profile name. switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)#port-profile vm1-port-profile switch(config-pp)#vlan-profile switch(conf-pp-vlan)#switchport trunk native-vlan 300 switch(conf-pp-vlan)#switchport trunk allowed vlan add Exit VLAN profile configuration mode. switch(conf-pp-vlan)#exit 3. Activate the profile. switch(config)#port-profile vm1-port-profile activate 4. Associate the profile to the MAC address for each host. switch(config)#port-profile vm1-port-profile static bf.0001 switch(config)#port-profile vm1-port-profile static bf.0002 switch(config)#port-profile vm1-port-profile static bf.0003 switch(config)#port-profile vm1-port-profile static bf.0004 switch(config)#port-profile vm1-port-profile static bf.0005 Configuring VLAN profiles The VLAN profile defines the VLAN membership of the overall port-profile, which includes both the tagged and untagged VLANs. NOTE Network OS v2.0.0 does not support VLAN classifiers. To configure the VLAN profile, perform the following steps in global configuration mode. 1. AMPP profiles can not be modified while active. De-activate the port-profile before modifying the VLAN profile. switch(config)#no port-profile vm1-port-profile activate 2. Enter VLAN profile configuration mode. switch(config)#port-profile vm1-port-profile switch(conf-pp)#vlan-profile 100 Brocade Network OS Administrator s Guide

125 Configuring AMPP port-profiles Use the switchport command to change the mode to Layer 2 and set the switching characteristics to the defaults. switch(conf-pp-vlan)#switchport 4. Access the VLAN profile mode for the correct VLAN. switch(conf-pp-vlan)#switchport access vlan Enter trunk configuration mode. switch(conf-pp-vlan)#switchport mode trunk 6. Configure the trunk mode for the allowed VLAN IDs. switch(conf-pp-vlan)#switchport trunk allowed vlan add 10, 20, Configure the trunk mode to be a native VLAN. switch(conf-pp-vlan)#switchport trunk native-vlan Exit VLAN profile configuration mode. switch(conf-pp-vlan)#exit 9. Activate the profile. switch(config)#port-profile vm1-port-profile activate 10. Associate the profile to the MAC address for each host. switch(config)#port-profile vm1-port-profile static bf.0001 switch(config)#port-profile vm1-port-profile static bf.0002 switch(config)#port-profile vm1-port-profile static bf.0003 switch(config)#port-profile vm1-port-profile static bf.0004 switch(config)#port-profile vm1-port-profile static bf.0005 Configuring FCoE profiles Only the FCoE profile of the default profile can be modified. This is allowed only when there are no other active profiles on the switch. The FCoE profile can only be part of the default profile. When it is part of the default profile, FCoE is enabled globally and all the profiled ports automatically become FCoE ports. In the absence of the FCoE profile in the default AMPP profile, you can configure FCoE on a per-interface basis, based on the profiled ports. See Configuring FCoE interfaces on page 119 for details. To globally configure the FCoE profile, perform the following steps in global configuration mode. 1. Enter FCoE configuration mode. switch(config)#fcoe 2. Enter fabric-map configuration mode. switch(config-fcoe)#fabric-map default 3. Define the priority for the FCoE fabric map. switch(config-fcoe-fabric-map)#priority 3 4. Define the advertisement interval for the FCoE fabric map. switch(config-fcoe-fabric-map)#advertisement interval 8000 Brocade Network OS Administrator s Guide 101

126 11 Configuring AMPP port-profiles 5. Define the FCMAP value for the FCoE fabric map. switch(config-fcoe-fabric-map)#fcmap 0E:FC:00 6. Return to FCoE configuration mode. switch(config-fcoe-fabric-map)#exit switch(config-fcoe)# 7. Return to global configuration mode. switch(config-fcoe)#exit switch(config)# 8. Enter port-profile configuration mode. switch(config)#port-profile default 9. Enter FCoE-profile configuration mode. switch(config-port-profile-default)#fcoe-profile 10. Activate the FCoE port profile. An FCoE map cannot be applied on interfaces that already have a CEE map applied to it. switch(config-fcoe-profile)#fcoeport default Configuring QoS profiles QoS profiles define the following values: Incoming 802.1p priority is set to internal queue priority. If the port is in QoS untrusted mode, all incoming priorities will be mapped to default best effort priority. Incoming priority is set to outgoing priority. Mapping of incoming priorities is set to strict or WRR traffic classes. Enabling of flow control on a strict or a WRR traffic class. The QoS profile has two flavors: CEE QoS and Ethernet QoS. The QoS profile may contain either CEE QoS or Ethernet QoS. Server side ports typically are carrying converged traffic. To configure the QoS profile, perform the following steps in global configuration mode. 1. AMPP profiles can not be modified while active. De-activate the port-profile before modifying the VLAN profile. switch(config)#no port-profile vm1-port-profile activate 2. Enter QoS profile mode. switch(config)#port-profile vm1-port-profile switch(conf-pp)#qos-profile switch(conf-pp-qos)# 3. Apply the CEE map. switch(conf-pp-qos)#cee default 4. Set the default CoS value. switch(conf-pp-qos)#qos cos 7 5. Set the QoS trust attribute for CoS switch(conf-pp-qos)#qos trust cos 102 Brocade Network OS Administrator s Guide

127 Configuring AMPP port-profiles Apply a map to the profile. You may either: Apply the existing CoS-to-CoS mutation map. switch(conf-pp-qos)#qos cos-mutation vm1-cos2cos-map Apply the existing CoS-to-Traffic-Class map. switch(conf-pp-qos)#qos cos-traffic-class vm1-cos2traffic-map 7. Enable pause generation either: Without PFC. switch(conf-pp-qos)#qos flowcontrol tx on rx on With PFC for each CoS. switch(conf-pp-qos)#qos flowcontrol pfc 1 tx on rx on switch(conf-pp-qos)#qos flowcontrol pfc 2 tx on rx on 8. Exit QoS profile mode. switch(conf-pp-qos)#exit 9. Activate the profile. switch(config)#port-profile vm1-port-profile activate 10. Associate the profile to the MAC address for each host. switch(config)#port-profile vm1-port-profile static bf.0001 switch(config)#port-profile vm1-port-profile static bf.0002 switch(config)#port-profile vm1-port-profile static bf.0003 switch(config)#port-profile vm1-port-profile static bf.0004 switch(config)#port-profile vm1-port-profile static bf.0005 Configuring security profiles A security profile defines all the security rules needed for the server port. A typical security profile contains attributes for MAC-based standard and extended ACLs. To configure the security profile, perform the following steps in global configuration mode. 1. AMPP profiles can not be modified while active. De-activate the port-profile before modifying the security profile. switch(config)#no port-profile vm1-port-profile activate 2. Enter security profile configuration mode. switch(config)#port-profile vm1-port-profile switch(conf-pp)#security-profile switch(conf-pp-security)# 3. Modify the ACL security attributes. See Chapter 17, Configuring ACLs for details. 4. Apply the ACL to the security profile. switch(conf-pp-security)#mac access-group vm1-acl in 5. Exit security profile configuration mode. switch(conf-pp-security)#exit Brocade Network OS Administrator s Guide 103

128 11 Monitoring AMPP profiles 6. Activate the profile. switch(config)#port-profile vm1-port-profile activate 7. Associate the profile to the MAC address for each host. switch(config)#port-profile vm1-port-profile static bf.0001 switch(config)#port-profile vm1-port-profile static bf.0002 switch(config)#port-profile vm1-port-profile static bf.0003 switch(config)#port-profile vm1-port-profile static bf.0004 switch(config)#port-profile vm1-port-profile static bf.0005 Deleting a port-profile To delete a port-profile, perform the following steps in privileged EXEC mode. 1. Enter global configuration mode. switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# 2. Use the no version of the port-profile command to delete the custom profile. You cannot delete the default port-profile. switch(config)#no port-profile vm1-port-profile Monitoring AMPP profiles To monitor the AMPP profiles, perform the following steps in privileged EXEC mode. 1. Use the show command to display the current MAC details. switch#show mac-address-table port-profile Legend: Untagged(U), Tagged (T), Not Forwardable(NF) and Conflict(C) VlanId Mac-address Type State Port-Profile Ports Dynamic Active Profiled(U) Te 111/0/ b.7030 Dynamic Active Profiled(U) Te 111/0/ a Dynamic Active Profiled(T) Te 111/0/ a Dynamic Active Profiled(NF) Te 111/0/ a Dynamic Active Not Profiled Te 111/0/ a Dynamic Active Not Profiled Te 111/0/ a Dynamic Active Not Profiled Te 111/0/ a Dynamic Active Profiled(NF) Te 111/0/ a Dynamic Active Not Profiled Te 111/0/ a Dynamic Active Profiled(T) Te 111/0/ b Dynamic Active Profiled(T) Te 111/0/ c Dynamic Active Profiled(T) Te 111/0/ a Dynamic Active Profiled Te 111/0/ a Dynamic Active Profiled(NF) Te 111/0/ a Dynamic Active Not Profiled Te 111/0/ a Dynamic Active Profiled(NF) Te 111/0/ a Dynamic Active Profiled Te 111/0/24 Total MAC addresses : Brocade Network OS Administrator s Guide

129 Monitoring AMPP profiles Use the show running-config command to display all the available port-profile configurations. switch#show running-config port-profile port-profile default vlan-profile switchport switchport mode trunk switchport trunk allowed vlan all!! port-profile vm_kernel vlan-profile switchport switchport mode access switchport access vlan 1 3. Use the show port-profile command to display the current port-profile configuration. switch#show port-profile port-profile default ppid 0 vlan-profile switchport switchport mode trunk switchport trunk allowed vlan all port-profile vm_kernel ppid 1 vlan-profile switchport switchport mode access switchport access vlan 1 4. Use the show port-profile status command to display the current status of all AMPP profiles. switch#show port-profile status Brocade Network OS Administrator s Guide 105

130 11 Monitoring AMPP profiles 106 Brocade Network OS Administrator s Guide

131 Configuring FCoE Interfaces Chapter 12 In this chapter FCoE overview End-to-end FCoE Layer 2 Ethernet overview FCoE Initialization Protocol FCoE queuing Configuring FCoE interfaces FCoE overview Fibre Channel over Ethernet (FCoE) enables you to transport FC protocols and frames over Data Center Bridging (DCB) networks. DCB is an enhanced Ethernet network that enables the convergence of various applications in data centers (LAN, SAN, and HPC) onto a single interconnect technology. FCoE provides a method of encapsulating the Fibre Channel (FC) traffic over a physical Ethernet link. FCoE frames use a unique EtherType that enables FCoE SAN traffic and legacy LAN Ethernet traffic to be carried on the same link. FC frames are encapsulated in an Ethernet frame and sent from one FCoE-aware device across an Ethernet network to a second FCoE-aware device. The FCoE-aware devices may be FCoE end nodes (ENodes) such as servers, storage arrays, or tape drives on one end and FCoE Forwarders on the other end. FCoE Forwarders (FCFs) are switches providing SAN fabric services and may also provide FCoE-to-FC bridging. The motivation behind using DCB networks as a transport mechanism for FC arises from the desire to simplify host protocol stacks and consolidate network interfaces in data center environments. FC standards allow for building highly reliable, high-performance fabrics for shared storage, and these characteristics are what DCB brings to data centers. Therefore, it is logical to consider transporting FC protocols over a reliable DCB network in such a way that it is completely transparent to the applications. The underlying DCB fabric is highly reliable and high performing, the same as the FC SAN. In FCoE, ENodes discover FCFs and initialize the FCoE connection through the FCoE Initialization Protocol (FIP). The FIP has a separate EtherType from FCoE. The FIP includes a discovery phase in which ENodes discover VLANs supporting FCoE, solicit FCFs on those VLANs, and FCFs respond to the solicitations with advertisements of their own. At this point, the ENodes know enough about the FCFs to log in to them. The virtual link establishment and fabric login (FLOGI/FDISC) for VN-to-VF port connections is also part of the FIP. Brocade Network OS Administrator s Guide 107

132 12 End-to-end FCoE FCoE terminology Table 10 lists and describes the FCoE terminology used in this document. TABLE 10 Term FCoE DCB VN_port VF_port ENode FCoE terminology Description Fibre Channel over Ethernet Data Center Bridging FCoE equivalent of an FC N_port FCoE equivalent of an FC F_port An FCoE device that supports FCoE VN_ports (servers and target devices) End-to-end FCoE Virtual Cluster Switching (VCS ) is a convergence-ready fabric. This means it is capable of providing lossless service and other features expected of a CEE-capable network. Network OS v2.0.0 supports multi-hop FCoE, where an FCoE initiator can communicate with an FCoE target that is a number of hops away. FCoE operations Each switch in the VCS cluster acts as a fully functional FCoE Forwarder (FCF). All Fibre Channel (FC) services required to support a Virtual Network (VN) must run on every VCS cluster switch, and each switch in the fabric acts as if it were a separate domain in an FC SAN. For all practical purposes, a VCS fabric operates similarly to an FC fabric because all the FCoE initiators and targets are connected to the VCS fabric. Each switch in the cluster gets a domain ID, and once the fabric forms, all the FC services (such as Name Server, Login Controller, Domain Controller) are available on each individual cluster switch. In Network OS v2.0.0, there is no support for Fibre Channel (FC) zoning. Network OS v2.0.0 supports only open zoning for FCoE initiators. The fabric device limitation is set to 256 FCoE devices in a VCS cluster, because open zoning floods all the State Change Notifications (SCNs) to every FCoE device. FCoE traffic forwarding across the fabric follows the same equal-cost multi-path (ECMP) routing rules as LAN traffic forwarding. FCoE end-to-end forwarding FCoE frame forwarding between two FCoE devices attached to the VCS fabric works similarly to Layer 3 IP routing. The end-node talks to the default gateway s MAC address and the Layer 2 headers are modified hop-by-hop until the frame reaches its final destination. Forwarding decisions are based on the contents of the IP header in the case of IP routing, and the IP header is untouched along the path. FCoE forwarding works the same way. Figure 10 on page 109 illustrates this process. Assume that VN1 (an FCoE initiator) is trying to access VN2 (an FCoE target). 108 Brocade Network OS Administrator s Guide

133 End-to-end FCoE VN1 and VN2 discover VF1 and VF2 through FIP Discovery Protocol and perform a Fabric Login (FLOGI) to their respective VF ports. That is, VN1 performs an FIP FLOGI to VF1 and VN2 performs a FLOGI to VF2. This works like IP in that all communication between the end-station and the network happens to the router s MAC address at Layer 2. This means VN1 is always communicating with VF1 at Layer In a VCS fabric implementation, all FC services are available on every cluster unit. This means there is Fibre Channel Network Switch (FCNS) available on both FCF1 and FCF2. The FCNS service functions identically as it does in an FC SAN. As a result, VN1 discovers VN2. NOTE Network OS v2.0.0 has no FC zoning; therefore, it is all-access. 3. VN1 attempts an N_port Login (PLOGI) to VN2, with the frame information shown at point 1 in Figure 10. The Layer 2 header contains VF1 as the destination MAC address. The Layer 3 header (in this case, the FC header) contains the actual DID and SID of the initiator and the target respectively. In this example, because VN1 is connected to the FCF with a Domain ID of 1, its PID is Similarly, because VN2 is connected to FCF3, its FC address is FIGURE 10 FCoE end-to-end header process Domain ID:1 FCF-MAC: A 2 Domain ID:2 3 FCF-MAC: B Fa Fb Fc Fd Domain ID:3 FCF-MAC: C 1 VN1 VF1 VN2 VF2 4 Eth Hdr TRILL MAC addresses of the ISL end-points: Fa, Fb, Fc, Fd FCoE FC FCoE Initiator FCoE Target 2 3 DA=Fb DA=Fd 1 SA=Fa Etype=TRILL DST-RBridge=3 SRC-RBridge=1 SA=Fc Etype=TRILL DST-RBridge=3 SRC-RBridge=1 4 DA=VF1 SA=VN1 Etype=FCoE FCoE Hdr DID= SID= DA=FCFc SA=FCFA Etype=FCoE FCoE Hdr DID= SID= DA=FCFc SA=FCFA Etype=FCoE FCoE Hdr DID= SID= DA=VN2 SA=VF2 Etype=FCoE FCoE Hdr DID= SID= FC CRC FCS FC CRC FCS FC CRC FCS FC CRC FCS 4. When FCF-A receives the frame on VF1, it performs a Layer 3 lookup. It looks up the DID in the FC header and determines that the frame is destined to a non-local domain. FCF-A decodes the next hop needed to reach the destination domain of 3, based on Fabric Shortest Path First (FSPF). It is at this point that it does something different than a normal IP router. Brocade Network OS Administrator s Guide 109

134 12 End-to-end FCoE 5. FCF-A now knows that it needs to reach FCF-C. Each FCF in the VCS fabric is assigned an FCF MAC address. FCF-A constructs the Layer 2 header based on this information. So, the original MAC header is now transformed as follows: the DA is changed from VF1 to FCF-C and the SA is changed from VN1 to FCF-A. This is occurs at point 2 in Figure The frame gets a Transparent Interconnection of Lot of Links (TRILL) header and traverses across the fabric to reach FCF-C. The TRILL header indicates that the source is RBridge 1 and the destination is RBridge 3. This occurs at point 2 in Figure The outer MAC header is a link level header that gets the frame from FCF-A to FCF-B. FCF-B receives the frame. FCF-B scans the TRILL header, decodes the destination RBridge ID in the frame, and forwards the frame. FCF-B only modifies the Layer 2 header. It neither looks up nor modifies anything in the FC header or the inner MAC header. This occurs at point 3 in Figure FCF-C receives the frame. FCF-C scans the TRILL header and decodes the destination RBridge ID. FCF-C promotes the frame to Layer 3 lookup, because the FCF-C is the DA in the inner MAC header. FCF-C then scans the FC header and does something similar to an area route lookup in FC SAN. This lookup yields the MAC address of VN2 and the VF interface (in this case, VF2) information that it needs to use to forward the frame to VN2. This is occurs at point 4 in Figure VN2 receives the PLOGI. The PLOGI response from VN2 traverses back to VN1 in similar fashion. NOTE It is assumed that both VN1 and VN2 are configured to be in the same FCoE VLAN, and FCoE forwarding is enabled on this VLAN in the VCS fabric. Network OS v2.0.0 supports only one FCoE VLAN for all FCoE devices connected to the fabric. 110 Brocade Network OS Administrator s Guide

135 Layer 2 Ethernet overview 12 Layer 2 Ethernet overview The Brocade VDX 6720 hardware contains DCB ports that support FCoE forwarding. The DCB ports are also backwards-compatible and support classic Layer 2 Ethernet networks (see Figure 11). In Layer 2 Ethernet operation, a host with a Converged Network Adapter (CNA) can be directly attached to a DCB port on the Brocade VDX 6720 hardware. Another host with a classic 10-Gigabit Ethernet Network Interface Card (NIC) can be either directly attached to a DCB port, or attached to a classic Layer 2 Ethernet network which is attached to the Brocade VDX 6720 hardware. FIGURE 11 Multiple switch fabric configuration Classic Layer 2 Ethernet switch Host 3 Classic NIC Host 1 Brocade 8000 Host 2 switch CNA or classic NIC CNA or classic NIC FC switch FC switch Storage Layer 2 forwarding Layer 2 Ethernet frames are forwarded on the DCB ports Q VLAN support is used to tag incoming frames to specific VLANs, and 802.3ac VLAN tagging support is used to accept VLAN tagged frames from external devices. Network OS v2.0.0 uses the following 802.1D bridging protocols between Layer 2 switches and to maintain a loop-free network environment: Spanning Tree Protocol (STP) Rapid Spanning Tree Protocol (RSTP) Multiple Spanning Tree Protocol (MSTP) Per-VLAN Spanning Tree (PVST+) Rapid Per-VLAN Spanning Tree (RPVST+) For detailed information on configuring these protocols, see Configuring STP, RSTP, MSTP, and PVST on page 131. The Brocade VDX 6720 hardware handles Ethernet frames as follows: When the destination MAC address is not in the lookup table, the frame is flooded on all ports in the same VLAN, except the ingress port. When the destination MAC address is present in the lookup table, the frame is switched only to the correct egress port. When the destination MAC address is present in the lookup table, and the egress port is the same as the ingress port, the frame is dropped. Brocade Network OS Administrator s Guide 111

136 12 Layer 2 Ethernet overview If the Ethernet Frame Check Sequence (FCS) is incorrect, because the switch is in cut-through mode, a correctly formatted Ethernet frame is sent out with an incorrect FCS. If the Ethernet frame is too short, the frame is discarded and the error counter is incremented. If the Ethernet frame is too long, the frame is truncated and the error counter is incremented. The truncated frame is sent out with an incorrect FCS. Frames sent to a broadcast destination MAC address are flooded on all ports in the same VLAN, except the ingress port. When MAC address entries in the lookup table time out, they are removed. In this event, frame forwarding changes from unicast to flood. An existing MAC address entry in the lookup table is discarded when a device is moved to a new location. When a device is moved, the ingress frame from the new port causes the old lookup table entry to be discarded and the new entry to be inserted into the lookup table. Frame forwarding remains unicast to the new port. When the lookup table is full, new entries replace the oldest MAC addresses after the oldest MAC addresses reach a certain age and time out. MAC addresses that still have traffic running are not timed out. NOTE New entries start replacing older entries when the lookup table reaches 90 percent of its 32K capacity. VLAN tagging The Layer 2 switch always tags an incoming frame with a VLAN ID. If the incoming frame is untagged, then a tag is added according to the port configuration. A port can classify untagged traffic to a single VLAN or to multiple VLANs. If the incoming frame is already tagged, then the port will either forward or discard the frame according to allowed VLAN rules in the port configuration. These are three examples of VLAN tagging: If the DCB port is configured to tag incoming frames with a single VLAN ID, then incoming frames that are untagged are tagged with the VLAN ID. If the DCB port is configured to tag incoming frames with multiple VLAN IDs, then incoming frames that are untagged are tagged with the correct VLAN ID based on the port setting. If the DCB port is configured to accept externally tagged frames, then incoming frames that are tagged with a VLAN ID are passed through unchanged. NOTE Only a single switch-wide VLAN is capable of forwarding FCoE traffic. For detailed information on configuring VLANs, see Configuring VLANs on page 121. Frame classification (incoming) The Brocade VDX 6720 hardware is capable of classifying incoming Ethernet frames based on the following criteria: Port number Protocol MAC address 112 Brocade Network OS Administrator s Guide

137 Layer 2 Ethernet overview 12 The classified frames can be tagged with a VLAN ID or with 802.1p Ethernet priority. The 802.1p Ethernet priority tagging is done using the Layer 2 Class of Service (CoS). The 802.1p Ethernet priority is used to tag frames in a VLAN with a Layer 2 CoS to prioritize traffic in the VLAN. The Brocade VDX 6720 hardware also accepts frames that have been tagged by an external device. Frame classification options are as follows: VLAN ID and Layer 2 CoS by physical port number With this option, the port is set to classify incoming frames to a preset VLAN ID and the Layer 2 CoS on a physical port on the Brocade VDX 6720 hardware. VLAN ID and Layer 2 CoS by LAG virtual port number With this option, the port is set to classify incoming frames to a preset VLAN ID and Layer 2 CoS on a Link Aggregation Group (LAG) virtual port. Layer 2 CoS mutation With this option, the port is set to change the Layer 2 CoS setting by enabling the QoS mutation feature. Layer 2 CoS trust With this option, the port is set to accept the Layer 2 CoS of incoming frames by enabling the QoS trust feature. For detailed information on configuring QoS, see Configuring QoS on page 181. Congestion control and queuing The Brocade VDX 6720 hardware supports several congestion control and queuing strategies. As an output queue approaches congestion, Random Early Detection (RED) is used to selectively and proactively drop frames to maintain maximum link utilization. Incoming frames are classified into priority queues based on the Layer 2 CoS setting of the incoming frame, or the possible rewriting of the Layer 2 CoS field based on the settings of the DCB port or VLAN. The Brocade VDX 6720 hardware supports a combination of two scheduling strategies to queue frames to the egress ports: Priority queuing, which is also referred to as strict priority, and Deficit Weighted Round Robin (DWRR) queuing. The scheduling algorithms work on the eight traffic classes as specified in 802.1Qaz Enhanced Transmission Selection (ETS). Queuing features are described as follows: RED RED increases link utilization. When multiple inbound TCP traffic streams are switched to the same outbound port, and some traffic streams send small frames while other traffic streams send large frames, link utilization will not be able to reach 100 percent. When RED is enabled, link utilization approaches 100 percent. Classification Setting user priority. - Inbound frames are tagged with the user priority set for the inbound port. The tag is visible when examining the frames on the outbound port. By default, all frames are tagged to priority zero. - Externally tagged Layer 2 frames When the port is set to accept externally tagged Layer 2 frames, the user priority is set to the Layer 2 CoS of the inbound frames. Brocade Network OS Administrator s Guide 113

138 12 Layer 2 Ethernet overview Queuing - Input queuing Input queuing optimizes the traffic flow in the following way. A DCB port has inbound traffic that is tagged with several priority values, and traffic from different priority settings is switched to different outbound ports. Some outbound ports are already congested with background traffic while others are uncongested. With input queuing, the traffic rate of the traffic streams switched to uncongested ports should remain high. - Output queuing Output queuing optimizes the traffic flow in the following way. Several ports carry inbound traffic with different priority settings. Traffic from all ports is switched to the same outbound port. If the inbound ports have different traffic rates, some outbound priority groups will be congested while others can remain uncongested. With output queuing, the traffic rate of the traffic streams that are uncongested should remain high. - Multicast rate limit A typical multicast rate limiting example is where several ports carry multicast inbound traffic that is tagged with several priority values. Traffic with different priority settings is switched to different outbound ports. The multicast rate limit is set so that the total multicast traffic rate on output ports is less than the specified set rate limit. - Multicast input queuing A typical multicast input queuing example is where several ports carry multicast inbound traffic that is tagged with several priority values. Traffic with different priority settings is switched to different outbound ports. Some outbound ports are already congested with background traffic while others are uncongested. The traffic rate of the traffic streams switched to the uncongested ports should remain high. All outbound ports should carry some multicast frames from all inbound ports. This enables multicast traffic distribution relative to the set threshold values. - Multicast output queuing A typical multicast output queuing example is where several ports carry multicast inbound traffic. Each port has a different priority setting. Traffic from all ports is switched to the same outbound port. If the inbound ports have varying traffic rates, some outbound priority groups will be congested while others remain uncongested. The traffic rate of the traffic streams that are uncongested remains high. The outbound ports should carry some multicast frames from all the inbound ports. Scheduling A typical example of scheduling policy (using Strict Priority 0 and Strict Priority 1 modes) is where ports 0 through 7 carry inbound traffic, each port has a unique priority level, port 0 has priority 0, port 1 has priority 1, and so on. All traffic is switched to the same outbound port. In Strict Priority 0 mode, all ports have DWRR scheduling; therefore, the frames-per-second (FPS) on all ports should correspond to the DWRR settings. In Strict Priority 1 mode, priority 7 traffic uses Strict Priority; therefore, priority 7 can achieve a higher FPS. Frames from input ports with the same priority level should be scheduled in a round robin manner to the output port. When setting the scheduling policy, each priority group that is using DWRR scheduling can be set to use a percentage of the total bandwidth by setting the PG_Percentage parameter. For detailed information on configuring QoS, see Configuring QoS on page 181. Access control Access Control Lists (ACLs) are used for Layer 2 switching security. Standard ACLs inspect the source address for the inbound ports. Extended ACLs provide filtering by source and destination addresses and protocol. ACLs can be applied to the DCB ports or to VLANs. 114 Brocade Network OS Administrator s Guide

139 Layer 2 Ethernet overview 12 ACLs function as follows: A standard Ethernet ACL configured on a physical port is used to permit or deny frames based on the source MAC address. The default is to permit all frames. An extended Ethernet ACL configured on a physical port is used to permit or deny frames based on the source MAC address, destination MAC address, and EtherType. The default is to permit all frames. A standard Ethernet ACL configured on a LAG virtual port is used to permit or deny frames based on the source MAC address. The default is to permit all frames. LAG ACLs apply to all ports in the LAG. An extended Ethernet ACL configured on a LAG virtual port is used to permit or deny frames based on the source MAC address, destination MAC address, and EtherType. The default is to permit all frames. LAG ACLs apply to all ports in the LAG. A standard Ethernet ACL configured on a VLAN is used to permit or deny frames based on the source MAC address. The default is to permit all frames. VLAN ACLs apply to the Switch Vertical Interface (SVI) for the VLAN. An extended Ethernet ACL configured on a VLAN is used to permit or deny frames based on the source MAC address, destination MAC address, and EtherType. The default is to permit all frames. VLAN ACLs apply to the Switch Vertical Interface (SVI) for the VLAN. For detailed information on configuring ACLs, see Configuring ACLs on page 175. Trunking NOTE The term trunking in an Ethernet network refers to the use of multiple network links (ports) in parallel to increase the link speed beyond the limits of any one single link or port, and to increase the redundancy for higher availability ab Link Layer Discovery Protocol (LLDP) is used to detect links to connected switches or hosts. Trunks can then be configured between an adjacent switch or host and the Brocade VDX 6720 hardware. The Data Center Bridging Capability Exchange Protocol (DCBX) extension is used to identify a DCB-capable port on an adjacent switch or host. For detailed information on configuring LLDP and DCBX, see Configuring LLDP on page 163. The 802.3ad Link Aggregation Control Protocol (LACP) is used to combine multiple links to create a trunk with the combined bandwidth of all the individual links. For detailed information on configuring LACP, see Configuring Link Aggregation on page 155. NOTE The Brocade software supports a maximum of 24 LAG interfaces. Flow control 802.3x Ethernet pause and Ethernet Priority-based Flow Control (PFC) are used to prevent dropped frames by slowing traffic at the source end of a link. When a port on a switch or host is not ready to receive more traffic from the source, perhaps due to congestion, it sends pause frames to the source to pause the traffic flow. When the congestion has been cleared, it stops requesting the source to pause traffic flow, and traffic resumes without any frame drop. Brocade Network OS Administrator s Guide 115

140 12 FCoE Initialization Protocol When Ethernet pause is enabled, pause frames are sent to the traffic source. Similarly, when PFC is enabled, there is no frame drop; pause frames are sent to the source switch. For detailed information on configuring Ethernet pause and PFC, see Configuring QoS on page 181. FCoE Initialization Protocol The FCoE Initialization Protocol (FIP) discovers and establishes virtual links between FCoE-capable entities connected to an Ethernet cloud through a dedicated EtherType, 0x8914, in the Ethernet frame. FIP discovery NOTE This software version supports ANSI INCITS Fibre Channel Backbone 5 (FC-BB-5) / 13-May The Brocade VDX 6720 hardware FIP discovery phase operates as follows: The Brocade VDX 6720 hardware uses the FCoE Initialization Protocol (FIP). ENodes discover VLANs supporting FCoE, FCFs, and then initialize the FCoE connection through the FIP. VF_port configuration An FCoE port accepts ENode requests when it is configured as a VF_port and enabled. An FCoE port does not accept ENode requests when disabled. Solicited advertisements A typical scenario is where a Brocade VDX 6720 hardware receives a FIP solicitation from an ENode. Replies to the original FIP solicitation are sent to the MAC address embedded in the original FIP solicitation. After being accepted, the ENode is added to the VN_port table. VLAN 1 The Brocade VDX 6720 hardware should not forward FIP frames on VLAN 1 because it is reserved for management traffic only. A fabric-provided MAC address is supported. A server-provided MAC address is not supported in the Network OS v2.0.0 release. NOTE In the fabric-provided MAC address format, VN_port MAC addresses are based on a 24-bit fabric-supplied value. The first three bytes of this value are referred to as the FCMAP. The next three bytes are the FC ID, which is assigned by the switch when the ENode logs in to the switch. FIP login FIP login operates as follows: ENodes can log in to the Brocade VDX 6720 hardware using FIP. Fabric login (FLOGI) and fabric discovery (FDISC) are accepted. Brocade VDX 6720 hardware in the fabric maintains the MAC address, World Wide Name (WWN), and PID mappings per login. Each ENode port should have a unique MAC address and WWN. 116 Brocade Network OS Administrator s Guide

141 FCoE Initialization Protocol 12 FIP FLOGI The Brocade VDX 6720 hardware accepts the FIP FLOGI from the ENode. The FIP FLOGI acceptance (ACC) is sent to the ENode if the ENode MAC address or WWN matches the VN_port table on the Brocade VDX 6720 hardware. The FIP FLOGI request is rejected if the ENode MAC address or WWN does not match. The ENode login is added to the VN_port table. Fabric Provided MAC Addressing (FPMA) is supported. FIP FDISC The Brocade VDX 6720 hardware accepts FIP FDISC from the ENode. FIP FDISC acceptance (ACC) is sent to the ENode if the ENode MAC address or WWN matches the VN_port table on the Brocade VDX 6720 hardware. The FIP FDISC request is rejected if the ENode MAC address or WWN does not match. The ENode login is added to the VN_port table. FPMA is supported. Maximum logins per VF_port The Brocade VDX 6720 hardware supports a maximum of 255 logins per VF_port. The VF_port rejects further logins after the maximum is reached. Maximum logins per switch The Brocade VDX 6720 hardware accepts a maximum of 4096 logins per switch. However, Brocade does not recommend that you allow more than 256 logins per VCS cluster because Network OS v2.0.0 does not support zoning. FIP logout FIP logout operates as follows: ENodes and VN_ports can log out from the Brocade VDX 6720 hardware using FIP. The Brocade VDX 6720 hardware in the fabric updates the MAC address, WWN, and PID mappings upon logout. The Brocade VDX 6720 hardware also handles scenarios of implicit logout where the ENode has left the fabric without explicitly logging out. FIP logout (LOGO) The Brocade VDX 6720 hardware accepts a FIP LOGO from the ENode. The FIP LOGO acceptence (ACC) should be sent to the ENode if the ENode MAC address and the VN_port MAC address matches the VN_port table data on the switch. The LOGO is ignored (not rejected) if the ENode MAC address does not match. The ENode logout is updated in the VN_port table. Implicit logout With the ENode directly connected to a DCB port, if the port that the ENode is attached to goes offline, the Brocade VDX 6720 hardware implicitly logs out that ENode. ENode logout is updated in the VN_port table. The Brocade VDX 6720 hardware sends an FIP Clear Virtual Links (CVL) to the ENode. The FIP Virtual Link Maintenance protocols provide a mechanism to detect reachability loss to an Enode or any VN_port instantiated on that ENode. This is accomplished by the periodic transmission of FIP Keep-Alive (FKA) messages from the ENode. If FKA timeouts are enabled on the switch, all VN_ports associated with an ENode will be implicitly logged out in the event of an ENode FKA timeout. If FKA timeouts are enabled on the switch, the VN_port will be implicitly logged out in the event of a VN_port FKA timeout. Name server The Brocade VDX 6720 hardware name server function operates as follows: ENode login and logout to and from the Brocade VDX 6720 hardware updates the name server in the FC fabric. The Brocade VDX 6720 hardware maintains the MAC address to WWN and PID mappings. Brocade Network OS Administrator s Guide 117

142 12 FCoE queuing ENode login and logout When an ENode login occurs through any means (FIP FLOGI, FIP FDISC, FCoE FLOGI, or FCoE FDISC), an entry is added to the name server. When an ENode logout occurs through any means (FIP LOGO, FCoE LOGO, or implicit logout), the entry is removed from the name server. ENode data The Brocade VDX 6720 hardware maintains a VN_port table. The table tracks the ENode MAC address, FIP login parameters for each login from the same ENode, and WWN and PID mappings on the FC side. You can display the VN_port table with the show fcoe login command. Registered State Change Notification The Brocade VDX 6720 hardware Registered State Change Notification (RSCN) function operates as follows: RSCN events generated in the FC fabric are forwarded to the ENodes. RSCN events generated on the FCoE side are forwarded to the FC devices. DCB is not aware of RSCN events. Device RSCN An RSCN is generated to all registered and affected members when an ENode either logs in or logs out of an FCF through any means. An RSCN is generated when an FC N_port device either logs in or logs out of the FC fabric. NOTE When transmitting an RSCN, zoning rules still apply for FCoE devices as the devices are treated as regular FC N_ports. VF_port RSCN An RSCN is generated to all registered members when a VF_port goes online or offline, causing ENode or FC devices to be added or removed. Domain RSCN An RSCN is generated to all registered and affected members when an FC switch port goes online or offline, causing ENode or FC devices to be added or removed. An RSCN is generated when two FC switches merge or segment, causing ENode or FC devices to be added or removed. When FC switches merge or segment, an RSCN is propagated to ENodes. Zoning RSCN An RSCN is generated to all registered and affected members when a zoning exchange occurs in the FC fabric. FCoE queuing The QoS configuration controls the FCoE traffic distribution. Note that changing these settings requires changes on both the Brocade VDX 6720 hardware and the Converged Network Adapter (CNA); therefore, the link must be taken offline and put back online after a change is made. Traffic scheduler configuration changes affect FCoE traffic distribution as follows: Changing the priority group for a port causes the FCoE traffic distribution to be updated. The priority group and bandwidth are updated. Changing the priority table for a port causes the FCoE traffic distribution to be updated. The CoS-to-priority group mapping is updated. Changing the class map for a port causes the FCoE traffic distribution to be updated. Changing the policy map for a port causes FCoE traffic distribution to be updated. Changing the DCB map for a port causes the FCoE traffic distribution to be updated. 118 Brocade Network OS Administrator s Guide

143 Configuring FCoE interfaces 12 The FCMAP-to-VLAN mapping determines the FCoE VLAN allowed for the FCoE session. Modifying this mapping causes the existing sessions to terminate. NOTE Only one FCoE VLAN is supported in the Network OS v2.0.0 release. Configuring FCoE interfaces FCoE maps are used to configure FCoE properties on interfaces. An FCoE map is a placeholder for an FCoE VLAN and a CEE map. You will assign FCoE maps on to physical interfaces using the fcoeport command. Once the FCoE map is assigned onto an interface: The corresponding FCoE VLAN 1002 is applied to the interface. The corresponding CEE map is applied to the interface. The FCoE/FIP vlan classifiers are applied to the interface. In short, the interface becomes capable of carrying FCoE traffic. The FCoE map can be applied on an interface only if the FCoE map is complete in all aspects. That is, it should have an FCoE VLAN and a CEE map associated with it. Only a single FCoE map is allowed, which is created automatically with the name default. You are not able to delete or rename this map. By default, the FCoE VLAN associated to the FCoE map is FCoE VLAN (1002) and the CEE map associated is the default CEE map (also called default ). Assigning an FCoE map onto an interface The FCoE map cannot be edited if it is associated with any interfaces. The FCoE map can be applied, irrespective of whether or not the interface is in switchport mode. But the FCoE map cannot be applied on an interface if the same interface already has a CEE map assigned to it. To assign the FCoE map onto an interface, perform the following steps in global configuration mode. 1. Activate the interface configuration mode for the interface you wish to modify. The following example activates the mode for the 10 Gigabit Ethernet interface in slot 0/port 0. switch(config)#interface tengigabitethernet 0/1 switch(conf-if-te-0/1)# 2. Apply the current FCoE profile map to the interface using the fcoeport command. switch(conf-if-te-0/1)# fcoeport 3. Return to the Privileged EXEC mode using the end command. switch(conf-if-te-0/1)#end switch# 4. Confirm the changes to the interface with the show running-config command. switch#show running-config interface tengigabitethernet 0/1 interface TenGigabitEthernet 0/1 fcoeport shutdown Brocade Network OS Administrator s Guide 119

144 12 Configuring FCoE interfaces 5. Use the show fcoe fabric-map default command to confirm the current status of the FCoE map. switch# show fcoe fabric-map default ============================================================================ Fabric-Map VLAN VFID Pri FCMAP FKA Timeout ============================================================================ default 1002[D] 128[D] 3[D] 0xefc00[D] 8000[D] Enabled[D] Total number of Fabric Maps = 1 6. Repeat this procedure for any additional interfaces. 120 Brocade Network OS Administrator s Guide

145 Configuring VLANs Chapter 13 In this chapter VLAN overview Ingress VLAN filtering VLAN configuration guidelines and restrictions Default VLAN configuration VLAN configuration and management Configuring protocol-based VLAN classifier rules Configuring the MAC address table VLAN overview IEEE 802.1Q Virtual LANs (VLANs) provide the capability to overlay the physical network with multiple virtual networks. VLANs allow you to isolate network traffic between virtual networks and reduce the size of administrative and broadcast domains. A VLAN contains end stations that have a common set of requirements that are independent of physical location. You can group end stations in a VLAN even if they are not physically located in the same LAN segment. VLANs are typically associated with IP subnetworks and all the end stations in a particular IP subnet belong to the same VLAN. Traffic between VLANs must be routed. VLAN membership is configurable on a per interface basis. The VLAN used for carrying FCoE traffic needs to be explicitly designated as the FCoE VLAN. FCoE VLANs are configured through the Network OS CLI (see Configuring an interface port as a Layer 2 switch port on page 125). NOTE Currently only one VLAN can be configured as the FCoE VLAN. Ingress VLAN filtering A frame arriving at Brocade VDX 6720 hardware is either associated with a specific port or with a VLAN, based on whether the frame is tagged or untagged: Admit tagged frames only The port the frame came in on is assigned to a single VLAN or to multiple VLANs depending on the VLAN ID in the frame s VLAN tag. This is called trunk mode. Admit untagged frames only These frames are assigned the port VLAN ID (PVID) assigned to the port the frame came in on. This is called access mode. Brocade Network OS Administrator s Guide 121

146 13 Ingress VLAN filtering Admit VLAN tagged and untagged frames All tagged and untagged frames would be processed as follows: - All untagged frames are classified into native VLANs. - All frames egressing are untagged for the native VLANs, unless the port has a CEE map or is an FCoE port, in which case the egress frames are priority tagged. - Any tagged frames coming with a VLAN tag equal to the configured native VLAN are processed. - For ingress and egress, non-native VLAN tagged frames are processed according to the allowed VLAN user specifications. This is called trunk mode. NOTE Ingress VLAN filtering is enabled by default on all Layer 2 interfaces. This ensures that VLANs are filtered on the incoming port (depending on the user configuration). Figure 12 displays the frame processing logic for an incoming frame. FIGURE 12 Ingress VLAN filtering Incoming frame on an interface Is the port a trunk? Yes Is the VLAN ID an allowed VLAN? No No Yes Drop frame No Drop frame Is the port an access interface? Yes Assign the frame to the VLAN present in the VLAN ID field of the Ethernet header Does the frame match any of the configured VLAN classifiers (MAC address based and protocol based)? No Yes Assign the frame to the classified VLAN Assign the frame to the configured PVID There are important facts you should know about Ingress VLAN filtering: Ingress VLAN filtering is based on port VLAN membership. Port VLAN membership is configured through the Network OS CLI. Dynamic VLAN registration is not supported. The Brocade VDX 6720 hardware does VLAN filtering at both the ingress and egress ports. The VLAN filtering behavior on logical Layer 2 interfaces such as LAG interfaces is the same as on port interfaces. 122 Brocade Network OS Administrator s Guide

147 VLAN configuration guidelines and restrictions 13 The VLAN filtering database (FDB) determines the forwarding of an incoming frame. Additionally, there are important facts you should know about the VLAN FDB: The VLAN FDB contains information that helps determine the forwarding of an arriving frame based on MAC address and VLAN ID data. The FDB contains both statically configured data and dynamic data that is learned by the switch. The dynamic updating of FDB entries using learning is supported (if the port state permits). Dynamic FDB entries are not created for multicast group addresses. Dynamic FDB entries are aged out based on the aging time configured per Brocade VDX 6720 hardware. The aging time is between 60 and seconds. The default is 300 seconds. You can add static MAC address entries specifying a VLAN ID. Static entries are not aged out. A static FDB entry overwrites an existing dynamically learned FDB entry and disables learning of the entry going forward. NOTE For more information on frame handling for Brocade VDX 6720 hardware, see Layer 2 Ethernet overview on page 111. VLAN configuration guidelines and restrictions Follow these VLAN configuration guidelines and restrictions when configuring VLANs. In an active topology, MAC addresses can be learned, per VLAN, using Independent VLAN Learning (IVL) only. A MAC address ACL always overrides a static MAC address entry. In this case, the MAC address is the forwarding address and the forwarding entry can be overwritten by the ACL. The Brocade DCB switch supports Ethernet DIX frames and LLC SNAP encapsulated frames only. Default VLAN configuration Table 11 lists the default VLAN configuration. TABLE 11 Parameter Default VLAN configuration Default setting Default VLAN VLAN 1 Interface VLAN assignment All interfaces assigned to VLAN 1 VLAN state MTU size Active 2500 bytes Brocade Network OS Administrator s Guide 123

148 13 VLAN configuration and management VLAN configuration and management NOTE Enter the copy running-config startup-config command to save your configuration changes. Enabling and disabling an interface port NOTE DCB interfaces are disabled by default in standalone mode, but enabled by default in VCS fabric mode. NOTE DCB interfaces do not support auto-negotiation of Ethernet link speeds. The DCB interfaces support 10-Gigabit Ethernet and Gigabit Ethernet. To enable and disable an interface port, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the shutdown command to toggle the availability of the interface. To enable the DCB interface: switch(conf-if-te-0/1)#no shutdown To disable the DCB interface: switch(conf-if-te-0/1)#shutdown Configuring the MTU on an interface port To configure the maximum transmission unit (MTU) on an interface port, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the interface port type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the interface port. 4. Enter the mtu command to specify the MTU value on the interface port. switch(conf-if-te-0/1)#mtu 4200 Creating a VLAN interface On Brocade VDX 6720 hardware, VLANs are treated as interfaces from a configuration point of view. By default all the DCB ports are assigned to VLAN 1 (VLAN ID equals 1). The vlan_id value can be 1 through VLAN IDs 3584 through 4094 are internally-reserved VLAN IDs. 124 Brocade Network OS Administrator s Guide

149 VLAN configuration and management 13 To create a VLAN interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface vlan command to assign the VLAN interface number. switch(config)#interface vlan 1002 Enabling STP on a VLAN Once all of the interface ports have been configured for a VLAN, you can enable Spanning Tree Protocol (STP) for all members of the VLAN with a single command. Whichever protocol is currently selected is used by the VLAN. Only one type of STP can be active at a time. A physical interface port can be a member of multiple VLANs. For example, a physical port can be a member of VLAN 1002 and VLAN 55 simultaneously. In addition, VLAN 1002 can have STP enabled and VLAN 55 can have STP disabled simultaneously. To enable STP for a VLAN, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol spanning tree command to select the type of STP for the VLAN. switch(config)#protocol spanning tree mstp 3. Enter the interface command to select the VLAN interface number. switch(config)#interface vlan Enter the spanning-tree shutdown command to enable spanning tree on VLAN switch(conf-if-vl-1002)#no spanning-tree shutdown Disabling STP on a VLAN Once all of the interface ports have been configured for a VLAN, you can disable STP for all members of the VLAN with a single command. To disable STP for a VLAN, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to select the VLAN interface number. switch(config)#interface vlan Enter the spanning-tree shutdown command to disable spanning tree on VLAN switch(conf-if-vl-55)#spanning-tree shutdown Configuring an interface port as a Layer 2 switch port To configure the interface as a Layer 2 switch port, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 Brocade Network OS Administrator s Guide 125

150 13 VLAN configuration and management 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the switchport command to configure the interface as a Layer 2 switch port. 5. Enter the do show command to confirm the status of the DCB interface. For example switch(conf-if-te-0/1)#do show interface tengigabitethernet 0/1 6. Enter the do show command to confirm the status of the DCB interface running configuration. switch(conf-if-te-0/1)#do show running-config interface tengigabitethernet 0/1 Configuring an interface port as an access interface Each DCB interface port supports admission policies based on whether the frames are untagged or tagged. Access mode admits only untagged and priority-tagged frames. To configure the interface as an access interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the switchport command to configure the DCB interface as a Layer 2 switch port. switch(conf-if-te-0/1)#switchport access vlan 20 Configuring an interface port as a trunk interface Each DCB interface port supports admission policies based on whether the frames are untagged or tagged. Trunk mode admits only VLAN-tagged frames. To configure the interface as a trunk interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/19 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the switchport command to place the DCB interface into trunk mode. switch(conf-if-te-0/19)#switchport mode trunk 5. Specify whether all, one, or none of the VLAN interfaces are allowed to transmit and receive through the DCB interface. Enter the following command that is appropriate for your needs. This example allows the VLAN numbered as 30 to transmit/receive through the DCB interface: switch(conf-if-te-0/19)#switchport trunk allowed vlan add 30 To allow all VLANs to transmit/receive through the DCB interface: switch(conf-if-te-0/19)#switchport trunk allowed vlan all 126 Brocade Network OS Administrator s Guide

151 Configuring protocol-based VLAN classifier rules 13 This example allows all except VLAN 11 to transmit/receive through the DCB interface: switch(conf-if-te-0/19)#switchport trunk allowed vlan except 11 To allow none of the VLANs to transmit/receive through the DCB interface: switch(conf-if-te-0/19)#switchport trunk allowed vlan none Disabling a VLAN on a trunk interface To disable a VLAN on a trunk interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/10 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the switchport command to place the DCB interface into trunk mode. switch(conf-if-te-0/10)#switchport mode trunk none Configuring protocol-based VLAN classifier rules You can configure VLAN classifier rules to define specific rules for classifying frames to selected VLANs based on protocol and MAC addresses. Sets of rules can be grouped into VLAN classifier groups (see Creating a VLAN classifier group and adding rules on page 128). VLAN classifier rules (1 through 256) are a set of configurable rules that reside in one of these categories: 802.1Q protocol-based classifier rules Source MAC address-based classifier rules Encapsulated Ethernet classifier rules NOTE Multiple VLAN classifier rules can be applied per interface provided the resulting VLAN IDs are unique for the different rules Q protocol-based VLANs apply only to untagged frames, or frames with priority tagging. With both Ethernet-II and SNAP encapsulated frames, the following protocol types are supported: Ethernet hexadecimal (0x0000 through 0xffff) Address Resolution Protocol (ARP) Fibre Channel over Ethernet (FCoE) FCoE Initialization Protocol (FIP) IP version 6 (IPv6) NOTE For complete information on all available VLAN classifier rule options, see the Converged Enhanced Ethernet Command Reference. Brocade Network OS Administrator s Guide 127

152 13 Configuring protocol-based VLAN classifier rules Configuring a VLAN classifier rule To configure a protocol-based VLAN classifier rule, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the vlan classifier rule command to configure a protocol-based VLAN classifier rule. switch(config)#vlan classifier rule 1 proto fcoe encap ethv2 Configuring MAC address-based VLAN classifier rules To configure a MAC address-based VLAN classifier rule, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the vlan classifier rule command to configure a MAC address-based VLAN classifier rule. switch(config)#vlan classifier rule 5 mac c.7fid Deleting a VLAN classifier rule VLAN classifier groups (1 through 16) can contain any number of VLAN classifier rules. To configure a VLAN classifier group and remove a VLAN classifier rule, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Specify a VLAN classifier group and delete a rule. switch(config)#vlan classifier group 1 delete rule 1 Creating a VLAN classifier group and adding rules VLAN classifier groups (1 through 16) can contain any number of VLAN classifier rules. To configure a VLAN classifier group and add a VLAN classifier rule, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Create a VLAN classifier group and add a rule. switch(config)#vlan classifier group 1 add rule 1 Activating a VLAN classifier group with an interface port To associate a VLAN classifier group with an interface port, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/ Brocade Network OS Administrator s Guide

153 Configuring the MAC address table Enter the no shutdown command to enable the DCB interface. 4. Enter the vlan classifier command to activate and associate it with a VLAN interface (group 1 and VLAN 2 are used in this example). switch(conf-if-te-0/10)#vlan classifier activate group 1 vlan 2 NOTE This example assumes that VLAN 2 was already created. Clearing VLAN counter statistics To clear VLAN counter statistics, enter the clear command to clear the VLAN counter statistics for the specified VLAN. The vlan_id value can be 1 through Example of clearing VLAN counter statistics. switch#clear counter interface vlan 20 Displaying VLAN information To display VLAN information, perform the following steps from privileged EXEC mode. 1. Enter the show interface command to display the configuration and status of the specified interface. switch#show interface tengigabitethernet 0/10 port-channel 10 switchport 2. Enter the show vlan command to display the specified VLAN information. For example, this syntax displays the status of VLAN 20 for all interfaces, including static and dynamic: switch#show vlan 20 brief Configuring the MAC address table Each DCB port has a MAC address table. The MAC address table stores a number of unicast and multicast address entries without flooding any frames. Brocade VDX 6720 hardware has a configurable aging timer. If a MAC address remains inactive for a specified number of seconds, it is removed from the address table. For detailed information on how the switch handles MAC addresses in a Layer 2 Ethernet environment, see Layer 2 Ethernet overview on page 111. Specifying or disabling the aging time for MAC addresses You can set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. Static address entries are never aged or removed from the table. You can also disable the aging time. The default is 300 seconds. NOTE To disable the aging time for MAC addresses, enter an aging time value of 0. Brocade Network OS Administrator s Guide 129

154 13 Configuring the MAC address table To specify an aging time or disable the aging time for MAC addresses, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the appropriate command based on whether you want to specify an aging time or disable the aging time for MAC addresses: switch(config)#mac-address-table aging-time 600 Adding static addresses to the MAC address table To add a static address to the MAC address table, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Add the static address to the MAC address table with a packet received on VLAN 100: switch(config)#mac-address-table static forward tengigabitethernet 0/1 vlan Brocade Network OS Administrator s Guide

155 Configuring STP, RSTP, MSTP, and PVST Chapter 14 In this chapter STP overview RSTP overview MSTP overview Overview of Rapid PVST Configuration guidelines and restrictions Default Spanning Tree configuration Spanning Tree configuration and management Configuring STP, RSTP, or MSTP on DCB interface ports STP overview The IEEE 802.1D Spanning Tree Protocol (STP) runs on bridges and switches that are 802.1D-compliant. STP prevents loops in the network by providing redundant links. If a primary link fails, the backup link is activated and network traffic is not affected. Without STP running on the switch or bridge, a link failure can result in a loop. NOTE In VCS mode, all STP options are disabled. Only when the switch is in standalone mode does it support STP, RSTP, MSTP, PVST and rapid PVST. When the spanning tree algorithm is run, the network switches transform the real network topology into a spanning tree topology in which any LAN in the network can be reached from any other LAN through a unique path. The network switches recalculate a new spanning tree topology whenever there is a change to the network topology. For each LAN, the switches that attach to the LAN choose a designated switch that is the closest switch to the root switch. This designated switch is responsible for forwarding all traffic to and from the LAN. The port on the designated switch that connects to the LAN is called the designated port. The switches decide which of their ports will be part of the spanning tree. A port is included in the spanning tree if it is a root port or a designated port. With STP, data traffic is allowed only on those ports that are part of the spanning tree topology. Ports that are not part of the spanning tree topology are automatically changed to a blocking (inactive) state. They are kept in the blocking state until there is a break in the spanning tree topology, at which time they are automatically activated to provide a new path. The STP interface states for every Layer 2 interface running STP are as follows: Blocking The interface does not forward frames. Brocade Network OS Administrator s Guide 131

156 14 STP overview Listening The interface is identified by the spanning tree as one that should participate in frame forwarding. This is a transitional state after the blocking state. Learning The interface prepares to participate in frame forwarding. Forwarding The interface forwards frames. Disabled The interface is not participating in spanning tree because of a shutdown port, no link on the port, or no spanning tree instance running on the port. A port participating in spanning tree moves through these states: From initialization to blocking. From blocking to listening or to disabled. From listening to learning or to disabled. From learning to forwarding, blocking, or disabled. From forwarding to disabled. The following STP features are considered optional features although you might use them in your STP configuration: Root guard For detailed information, see Enabling the guard root on page 149. PortFast BPDU guard and BPDU filter For detailed information, see Enabling port fast (STP) on page 151. Configuring STP The process for configuring STP is as follows. 1. Enter global configuration mode. 2. Enable PVST using the global protocol spanning-tree command. For details, see Enabling STP, RSTP, MSTP, or PVST on page 140. switch(config)#protocol spanning-tree pvst 3. Designate the root switch using the bridge-priority command. For details, see Specifying the bridge priority on page 140. The range is 0 through and the priority values can be set only in increments of switch(conf-stp)#bridge-priority Optional: Enable PortFast on switch ports using the spanning-tree portfast command. For details, see Enabling port fast (STP) on page 151. NOTE PortFast only needs to be enabled on ports that connect to workstations or PCs. Repeat these commands for every port connected to workstations or PCs. Do not enable PortFast on ports that connect to other switches. switch(config)#interface tengigabitethernet 0/10 switch(conf-if-te-0/10)#spanning-tree portfast switch(conf-if-te-0/10)#exit switch(config)#interface tengigabitethernet 0/11 switch(conf-if-te-0/11)#spanning-tree portfast switch(conf-if-te-0/11)#exit Repeat these commands for every port connected to workstations or PCs. 132 Brocade Network OS Administrator s Guide

157 RSTP overview Optional: To interoperate with non-brocade switches, you may need to configure the interface that is connected to that switch with the following spanning-tree bpdu-mac command. switch(config)#interface tengigabitethernet 0/12 switch(conf-if-te-0/12)#spanning-tree bpdu-mac ccc.cccd 6. Set the following ports to forwarding mode: All ports of the root switch The root port The designated port 7. Optional: Enable the guard root feature with the spanning-tree guard root command. The guard root feature provides a way to enforce the root bridge placement in the network. For detailed information, refer to Enabling the guard root on page 149. All other switch ports connect to other switches and bridges are automatically placed in blocking mode. This does not apply to ports connected to workstations or PCs; these ports remain in the forwarding state. 8. Return to privileged EXEC mode. switch(conf-if-te-0/12)#end 9. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config When the spanning tree topology is completed, the network switches send and receive data only on the ports that are part of the spanning tree. Data received on ports that are not part of the spanning tree is blocked. NOTE Brocade recommends leaving other STP variables at their default values. For more information on STP, see Spanning Tree configuration and management on page 140. RSTP overview NOTE RSTP is designed to be compatible and interoperate with STP. However, the advantages of the RSTP fast reconvergence are lost when it interoperates with switches running STP. The IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) standard is an evolution of the 802.1D STP standard. It provides rapid reconvergence following the failure of a switch, a switch port, or a LAN. It provides rapid reconvergence of edge ports, new root ports, and ports connected through point-to-point links. The RSTP interface states for every Layer 2 interface running RSTP are as follows: Learning The interface prepares to participate in frame forwarding. Forwarding The interface forwards frames. Brocade Network OS Administrator s Guide 133

158 14 RSTP overview Discarding The interface discards frames. Note that the 802.1D disabled, blocking, and listening states are merged into the RSTP discarding state. Ports in the discarding state do not take part in the active topology and do not learn MAC addresses. Table 12 lists the interface state changes between STP and RSTP. TABLE 12 STP versus RSTP state comparison STP interface state RSTP interface state Is the interface included in the active topology? Is the interface learning MAC addresses? Disabled Discarding No No Blocking Discarding No No Listening Discarding Yes No Learning Learning Yes Yes Forwarding Forwarding Yes Yes With RSTP, the port roles for the new interface states are also different. RSTP differentiates explicitly between the state of the port and the role it plays in the topology. RSTP uses the root port and designated port roles defined by STP, but splits the blocked port role into backup port and alternate port roles: Backup port Provides a backup for the designated port and can only exist where two or more ports of the switch are connected to the same LAN; the LAN where the bridge serves as a designated switch. Alternate port Serves as an alternate port for the root port providing a redundant path towards the root bridge. Only the root port and the designated ports are part of the active topology; the alternate and backup ports do not participate in it. When the network is stable, the root and the designated ports are in the forwarding state, while the the alternate and backup ports are in the discarding state. When there is a topology change, the new RSTP port roles allow a faster transition of an alternate port into the forwarding state. For more information on RSTP, see Spanning Tree configuration and management on page 140. Configuring RSTP The basic process for configuring RSTP is as follows. 1. Enter global configuration mode. 2. Enable RSTP using the global protocol spanning-tree command. For details, see Enabling STP, RSTP, MSTP, or PVST on page 140. switch(config)#protocol spanning-tree rstp 3. Designate the root switch using the bridge-priority command. For details, see Specifying the bridge priority on page 140. The range is 0 through and the priority values can be set only in increments of switch(conf-stp)#bridge-priority Configure the bridge forward delay value. For details, see Specifying the bridge forward delay on page 141. switch(conf-stp)#forward-delay Brocade Network OS Administrator s Guide

159 RSTP overview Configure the bridge maximum aging time value. For details, see Specifying the bridge maximum aging time on page 141. switch(conf-stp)#max-age Enable the error disable timeout timer value. For details, see Enabling the error disable timeout timer on page 142. switch(conf-stp)#error-disable-timeout enable 7. Configure the error-disable-timeout interval value. For details, see Specifying the error disable timeout interval on page 142. switch(conf-stp)#error-disable-timeout interval Configure the port-channel path cost. For details, see Specifying the port-channel path cost on page 142. switch(conf-stp)#port-channel path-cost custom 9. Configure the bridge hello time value. For details, see Specifying the bridge hello time on page 143. switch(conf-stp)#hello-time Flush the MAC addresses from the VLAN FDB. For details, see Flushing MAC addresses (RSTP and MSTP) on page 146. switch(config)#spanning-tree tc-flush-standard 11. Optional: Enable PortFast on switch ports using the spanning-tree portfast command. For details, see Enabling port fast (STP) on page 151. NOTE PortFast only needs to be enabled on ports that connect to workstations or PCs. Repeat these commands for every port connected to workstations or PCs. Do not enable PortFast on ports that connect to other switches. switch(config)#interface tengigabitethernet 0/10 switch(conf-if-te-0/10)#spanning-tree portfast switch(conf-if-te-0/10)#exit switch(config)#interface tengigabitethernet 0/11 switch(conf-if-te-0/11)#spanning-tree portfast switch(conf-if-te-0/11)#exit switch(config)# Repeat these commands for every port connected to workstations or PCs. 12. Set the following ports to forwarding mode: All ports of the root switch The root port The designated port For details, see Specifying the port priority on page Optional: Enable the guard root feature with the spanning-tree guard root command. The guard root feature provides a way to enforce the root bridge placement in the network. For detailed information, refer to Enabling the guard root on page 149. All other switch ports connect to other switches and bridges are automatically placed in blocking mode. Brocade Network OS Administrator s Guide 135

160 14 MSTP overview This does not apply to ports connected to workstations or PCs; these ports remain in the forwarding state. 14. Return to privileged EXEC mode. switch(config)#end 15. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config MSTP overview The IEEE 802.1s Multiple STP (MSTP) helps create multiple loop-free active topologies on a single physical topology. MSTP enables multiple VLANs to be mapped to the same spanning tree instance (forwarding path), which reduces the number of spanning tree instances needed to support a large number of VLANs. Each MSTP instance has a spanning tree topology independent of other spanning tree instances. With MSTP you can have multiple forwarding paths for data traffic. A failure in one instance does not affect other instances. With MSTP, you are able to more effectively utilize the physical resources present in the network and achieve better load balancing of VLAN traffic. NOTE In MSTP mode, RSTP is automatically enabled to provide rapid convergence. Multiple switches must be configured consistently with the same MSTP configuration to participate in multiple spanning tree instances. A group of interconnected switches that have the same MSTP configuration is called an MSTP region. NOTE Brocade supports 16 MSTP instances and one MSTP region. MSTP introduces a hierarchical way of managing switch domains using regions. Switches that share common MSTP configuration attributes belong to a region. The MSTP configuration determines the MSTP region where each switch resides. The common MSTP configuration attributes are as follows: Alphanumeric configuration name (32 bytes) Configuration revision number (2 bytes) 4096-element table that maps each of the VLANs to an MSTP instance Region boundaries are determined based on the above attributes. A multiple spanning tree instance is an RSTP instance that operates inside an MSTP region and determines the active topology for the set of VLANs mapping to that instance. Every region has a common internal spanning tree (CIST) that forms a single spanning tree instance that includes all the switches in the region. The difference between the CIST instance and the MSTP instance is that the CIST instance operates across the MSTP region and forms a loop-free topology across regions, while the MSTP instance operates only within a region. The CIST instance can operate using RSTP if all the switches across the regions support RSTP. However, if any of the switches operate using 802.1D STP, the CIST instance reverts to 802.1D. Each region is viewed logically as a single STP/RSTP bridge to other regions. 136 Brocade Network OS Administrator s Guide

161 Overview of Rapid PVST 14 Configuring MSTP The basic process for configuring MSTP is as follows. 1. Enter global configuration mode. 2. Enable MSTP using the global protocol spanning-tree command. For more details see Enabling STP, RSTP, MSTP, or PVST on page 140. switch(config)#protocol spanning-tree mstp 3. Specify the region name using the region region_name command. For more details see Specifying a name for an MSTP region on page 145. switch(conf-mstp)#region brocade1 4. Specify the revision number using the revision command. For more details see Specifying a revision number for an MSTP configuration on page 146. switch(conf-mstp)#revision 1 5. Map a VLAN to an MSTP instance using the instance command. For more details see Mapping a VLAN to an MSTP instance on page 144. switch(conf-mstp)#instance 1 vlan 2, 3 switch(conf-mstp)#instance 2 vlan 4-6 switch(conf-mstp)#instance 1 priority Specify the maximum hops for a BPDU to prevent the messages from looping indefinitely on the interface using the max-hops hop_count command. For more details see Specifying the maximum number of hops for a BPDU (MSTP) on page 145. switch(conf-mstp)#max-hops Return to privileged EXEC mode. switch(config)#end 8. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config For more information on MSTP, see Spanning Tree configuration and management on page 140. Overview of Rapid PVST A network topology of bridges typically contains redundant connections to provide alternate paths in case of link failures. But since there is no concept of TTL in Ethernet frames, this could result in permanent circulation of frames if there are loops in the network. To prevent loops, a spanning tree connecting all the bridges is formed in real time. The redundant ports are put in a blocking (non-forwarding) state. They are enabled when required. In order to build a spanning tree for the bridge topology, the bridges must exchange control frames (BPDU Bridge Protocol Data Unit). The protocols define the semantics of the BPDUs and the required state machine. The first spanning tree protocol (STP) became part of the IEEE 802.1d standard. But the convergence time of STP is 50 seconds in the case of link failures. This soon became increasingly unacceptable. Keeping the main skeleton of STP the same, the state machine was changed to speed up the convergence time as part of the Rapid Spanning Tree protocol (RSTP). RSTP became part of the standard IEEE 802.1w. Brocade Network OS Administrator s Guide 137

162 14 Configuration guidelines and restrictions But both STP and RSTP build a single logical topology. A typical network has multiple VLANs. A single logical topology does not efficiently utilize the availability of redundant paths for multiple VLANs. If a port is set to blocked/discarding for one VLAN (under STP/RSTP), it is the same for all other VLANs too. Per-VLAN Spanning Tree (PVST) protocol runs a spanning tree instance for each VLAN in the network. The version of PVST that uses RSTP state machine is called Rapid-PVST (R-PVST). Rapid Per-VLAN Spanning Tree+ (R-PVST+)has one instance of spanning tree for each VLAN on the switch. NOTE We shall use the terms PVST and RPVST inter-changeably hereafter in the document. But PVST is not a scalable model when there are lot of VLANs in the network as it consumes lot of CPU power. A reasonable compromise between the two extremes of RSTP and R-PVST is the Multiple Spanning Tree protocol (MSTP), standardized as IEEE 802.1s and later incorporated into IEEE 802.1Q-2003 standard. MSTP runs multiple instances of spanning tree which are independent of VLANs. It then maps a set of VLANs to each instance. To configure a PVST or Rapid PVST, use the standard STP commands, add the VLAN ID number as a parameter. See the Network OS Command Reference for details. For example, the script below sets up PVST for VLAN 10: switch(config)#protocol spanning-tree pvst switch(conf-pvst)#bridge-priority 8 vlan 10 switch(conf-pvst)#forward-delay 4 vlan 10 switch(conf-pvst)#hello-time 2 vlan 10 switch(conf-pvst)#max-age 7 vlan 10 switch(conf-pvst)#mac-address-reduction enable Configuration guidelines and restrictions Follow these configuration guidelines and restrictions when configuring Spanning Tree: You have to disable one form of xstp before enabling another. Packet drops or packet flooding may occur if you do not enable xstp on all devices connected on both sides of parallel links. LAGs are treated as normal links and by default are enabled for STP. You can have 16 MSTP instances and one MSTP region. Create VLANs before mapping them to MSTP instances. The MSTP force-version option is not supported. For load balancing across redundant paths in the network to work, all VLAN-to-instance mapping assignments must match; otherwise, all traffic flows on a single link. When you enable MSTP by using the global protocol spanning-tree mstp command, RSTP is automatically enabled. For two or more switches to be in the same MSTP region, they must have the same VLAN-to-instance map, the same configuration revision number, and the same name. Spanning Tree topologies must not be enabled on any direct server connections to the front-end Ten Gigabit Ethernet ports that may run FCoE traffic. This may result in lost or dropped FCoE logins. 138 Brocade Network OS Administrator s Guide

163 Default Spanning Tree configuration 14 Default Spanning Tree configuration Table 13 lists the default Spanning Tree configuration. TABLE 13 Parameter Default Spanning Tree configuration Default setting Spanning-tree mode By default, STP, RSTP, and MSTP are disabled Bridge priority Bridge forward delay 15 seconds Bridge maximum aging time 20 seconds Error disable timeout timer Disabled Error disable timeout interval 300 seconds Port-channel path cost Standard Bridge hello time 2 seconds Flush MAC addresses from the VLAN FDB Enabled Table 14 lists the switch defaults that apply only to MSTP configurations. TABLE 14 Parameter Default MSTP configuration Default setting Cisco interoperability Switch priority (when mapping a VLAN to an MSTP instance) Maximum hops Revision number 0 Disabled hops Table 15 lists the switch defaults for the 10-Gigabit Ethernet DCB interface-specific configuration. TABLE 15 Parameter Default 10-Gigabit Ethernet DCB interface-specific configuration Default setting Spanning tree Disabled on the interface Automatic edge detection Disabled Path cost 2000 Edge port Disabled Guard root Disabled Hello time 2 seconds Link type Point-to-point Port fast Disabled Port priority 128 DCB interface root port Allow the DCB interface to become a root port. DCB interface BPDU restriction Restriction is disabled Brocade Network OS Administrator s Guide 139

164 14 Spanning Tree configuration and management Spanning Tree configuration and management NOTE Enter the copy running-config startup-config command to save your configuration changes. Enabling STP, RSTP, MSTP, or PVST You enable STP to detect or avoid loops. STP is not required in a loop-free topology. You must turn off one form of STP before turning on another form. By default, STP, RSTP, and MSTP are not enabled. Perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable STP, RSTP, MSTP, PVST, or Rapid-PVST. switch(config)#protocol spanning-tree rstp Disabling STP, RSTP, or MSTP NOTE Using the no protocol spanning-tree command deletes the context and all the configurations defined within the context or protocol for the interface. To disable STP, RSTP, or MSTP, perform the following steps from privileged EXEC mode. By default, STP, RSTP, and MSTP are not enabled. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to disable STP, RSTP, MSTP, PVST, or Rapid-PVST. switch(config)#no protocol spanning-tree Shutting down STP, RSTP, or MSTP globally To shut down STP, RSTP, or MSTP globally, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the shutdown command to globally shutdown STP, RSTP, MSTP, PVST, or Rapid-PVST. The shutdown command below works in all three modes. switch(conf-mstp)#shutdown Specifying the bridge priority In any mode (STP, RSTP, or MSTP), use this command to specify the priority of the switch. After you decide on the root switch, set the appropriate values to designate the switch as the root switch. If a switch has a bridge priority that is lower than all the other switches, the other switches automatically select the switch as the root switch. 140 Brocade Network OS Administrator s Guide

165 Spanning Tree configuration and management 14 The root switch should be centrally located and not in a disruptive location. Backbone switches typically serve as the root switch because they often do not connect to end stations. All other decisions in the network, such as which port to block and which port to put in forwarding mode, are made from the perspective of the root switch. Bridge protocol data units (BPDUs) carry the information exchanged between switches. When all the switches in the network are powered up, they start the process of selecting the root switch. Each switch transmits a BPDU to directly connected switches on a per-vlan basis. Each switch compares the received BPDU to the BPDU that the switch sent. In the root switch selection process, if switch 1 advertises a root ID that is a lower number than the root ID that switch 2 advertises, switch 2 stops the advertisement of its root ID, and accepts the root ID of switch 1. The switch with the lowest bridge priority becomes the root switch. NOTE Because each VLAN is in a separate broadcast domain, each VLAN must have its own root switch. To specify the bridge priority, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable STP, RSTP, MSTP, PVST, or Rapid-PVST. switch(config)#protocol spanning-tree rstp 3. Specify the bridge priority. The range is 0 through and the priority values can be set only in increments of The default priority is switch(conf-stp)#bridge-priority Specifying the bridge forward delay In any mode (STP, RSTP, or MSTP), use this command to specify how long an interface remains in the listening and learning states before the interface begins forwarding all spanning tree instances. The range is 4 through 30 seconds. The default is 15 seconds. The following relationship should be kept: 2*(forward_delay - 1)>=max_age>=2*(hello_time + 1) To specify the bridge forward delay, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable STP, RSTP, MSTP, PVST, or Rapid-PVST. switch(config)#protocol spanning-tree stp 3. Specify the bridge forward delay. switch(conf-stp)#forward-delay 20 Specifying the bridge maximum aging time In any mode (STP, RSTP, or MSTP), use this command to control the maximum length of time that passes before an interface saves its Bridge Protocol Data Unit (BPDU) configuration information. When configuring the maximum aging time, the max-age setting must be greater than the hello-time setting. The range is 6 through 40 seconds. The default is 20 seconds. The following relationship should be kept: Brocade Network OS Administrator s Guide 141

166 14 Spanning Tree configuration and management 2*(forward_delay - 1)>=max_age>=2*(hello_time + 1) To specify the bridge maximum aging time, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable STP, RSTP, MSTP, PVST, or Rapid-PVST. switch(config)#protocol spanning-tree stp 3. Specify the bridge maximum aging time. switch(conf-stp)##max-age 25 Enabling the error disable timeout timer In any mode (STP, RSTP, or MSTP), use this command to enable the timer to bring a port out of the disabled state. When the STP BPDU guard disables a port, the port remains in the disabled state unless the port is enabled manually. This command allows you to enable the port from the disabled state. For details on configuring the error disable timeout interval, see Specifying the error disable timeout interval on page 142. To enable the error disable timeout timer, perform the following steps from privileged EXEC mode. By default, the timeout feature is disabled. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable STP, RSTP, MSTP, PVST, or Rapid-PVST. switch(config)#protocol spanning-tree stp 3. Enable the error disable timeout timer. switch(conf-stp)#error-disable-timeout enable Specifying the error disable timeout interval In any mode (STP, RSTP, or MSTP), use this command to specify the time in seconds it takes for an interface to time out. The range is 10 through seconds. The default is 300 seconds. By default, the timeout feature is disabled. To specify the time in seconds it takes for an interface to time out, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable STP, RSTP, MSTP, PVST, or Rapid-PVST. switch(config)#protocol spanning-tree stp 3. Specify the time in seconds it takes for an interface to time out. switch(conf-stp)#error-disable-timeout interval 60 Specifying the port-channel path cost In any mode (STP, RSTP, or MSTP), use this command to specify the port-channel path cost. The default port cost is standard. The path cost options are: custom Specifies that the path cost changes according to the port-channel s bandwidth. 142 Brocade Network OS Administrator s Guide

167 Spanning Tree configuration and management 14 standard Specifies that the path cost does not change according to the port-channel s bandwidth. To specify the port-channel path cost, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable STP, RSTP, MSTP, PVST, or Rapid-PVST. switch(config)#protocol spanning-tree stp 3. Specify the port-channel path cost. switch(conf-stp)#port-channel path-cost custom 4. Return to privileged EXEC mode. switch(config)#end 5. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Specifying the bridge hello time In STP or RSTP mode, use this command to configure the bridge hello time. The hello time determines how often the switch interface broadcasts hello Bridge Protocol Data Units (BPDUs) to other devices.the range is 1 through 10 seconds. The default is 2 seconds. When configuring the hello-time, the max-age setting must be greater than the hello-time setting. The following relationship should be kept: 2*(forward_delay - 1)>=max_age>=2*(hello_time + 1) To specify the bridge hello time, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable STP, RSTP, MSTP, PVST, or Rapid-PVST. switch(config)#protocol spanning-tree stp 3. Specify the time range in seconds for the interval between the hello BPDUs sent on an interface. switch(conf-stp)#hello-time 5 4. Return to privileged EXEC mode. switch(config)#end 5. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Specifying the transmit hold count (RSTP and MSTP) In RSTP and MSTP mode, use this command to configure the BPDU burst size by specifying the transmit hold count value. The command configures the maximum number of BPDUs transmitted per second for RSTP and MSTP before pausing for 1 second. The range is 1 through 10. The default is 6 seconds. To specify the transmit hold count, perform the following steps from privileged EXEC mode. Brocade Network OS Administrator s Guide 143

168 14 Spanning Tree configuration and management 1. Enter the configure terminal command to access global configuration mode. 2. Specify the transmit hold count. switch(config)#transmit-holdcount 5 3. Return to privileged EXEC mode. switch(config)#end 4. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Enabling Cisco interoperability (MSTP) In MSTP mode, use this command to enable or disable the ability to interoperate with certain legacy Cisco switches. If Cisco interoperability is required on any switch in the network, then all switches in the network must be compatible, and therefore enabled using this command. The default is Cisco interoperability is disabled. NOTE This command is necessary because the version 3 length field in the MSTP BPDU on some legacy Cisco switches does not conform to current standards. To enable interoperability with certain legacy Cisco switches, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable MSTP. switch(config)#protocol spanning-tree mstp 3. Enable interoperability with certain legacy Cisco switches. switch(conf-mstp)#cisco-interoperability enable Disabling Cisco interoperability (MSTP) 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable MSTP. switch(config)#protocol spanning-tree mstp 3. Disable interoperability with certain legacy Cisco switches. switch(conf-mstp)#cisco-interoperability disable Mapping a VLAN to an MSTP instance In MSTP mode, use this command to map a VLAN to an MTSP instance. You can group a set of VLANs to an instance. This command can be used only after the VLAN is created. VLAN instance mapping is removed from the configuration if the underlying VLANs are deleted. To map a VLAN to an MSTP instance, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable MSTP. 144 Brocade Network OS Administrator s Guide

169 Spanning Tree configuration and management 14 switch(config)#protocol spanning-tree mstp 3. Map a VLAN to an MSTP instance. switch(conf-mstp)#instance 5 vlan Return to privileged EXEC mode. switch(conf-mstp)#end 5. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Specifying the maximum number of hops for a BPDU (MSTP) In MSTP mode, use this command to configure the maximum number of hops for a BPDU in an MSTP region. Specifying the maximum hops for a BPDU prevents the messages from looping indefinitely on the interface. When you change the number of hops, it affects all spanning tree instances. The range is 1 through 40. The default is 20 hops. To configure the maximum number of hops for a BPDU in an MSTP region, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable MSTP. switch(config)#protocol spanning-tree mstp 3. Enter the max-hops command to configure the maximum number of hops for a BPDU in an MSTP region. switch(conf-mstp)#max-hops hop_count 4. Return to privileged EXEC mode. switch(conf-mstp)#end 5. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Specifying a name for an MSTP region In MSTP mode, use this command to assign a name to an MSTP region. The region name has a maximum length of 32 characters and is case-sensitive. Brocade Network OS Administrator s Guide 145

170 14 Spanning Tree configuration and management To assign a name to an MSTP region, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable MSTP. switch(config)#protocol spanning-tree mstp 3. Enter the region command to assign a name to an MSTP region. switch(conf-mstp)#region sydney 4. Return to privileged EXEC mode. switch(conf-mstp)#end 5. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Specifying a revision number for an MSTP configuration In MSTP mode, use this command to specify a revision number for an MSTP configuration. The range is 0 through 255. The default is 0. To specify a revision number for an MSTP configuration, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the protocol command to enable MSTP. switch(config)#protocol spanning-tree mstp 3. Enter the revision command to specify a revision number for an MSTP configuration. switch(conf-mstp)#revision Return to privileged EXEC mode. switch(conf-mstp)#end 5. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Flushing MAC addresses (RSTP and MSTP) For RSTP and MSTP, use this command to flush the MAC addresses from the VLAN filtering database (FDB). The VLAN FDB determines the forwarding of an incoming frame. The VLAN FDB contains information that helps determine the forwarding of an arriving frame based on MAC address and VLAN ID data (see VLAN configuration guidelines and restrictions on page 123). There are two ways to flush the MAC addresses: Standard method When one port receives a BPDU frame with a topology change flag, it flushes the FDB for the other ports in the switch. If a BPDU frame with the topology change flag is received continuously, the switch continues to flush the FDB. This behavior is the default behavior. Brocade method With this method, the FDB is only flushed for the first and last BPDU with a topology change flag. 146 Brocade Network OS Administrator s Guide

171 Spanning Tree configuration and management 14 Both methods flush the FDB when the switch receives BPDUs with a topology change flag, but the Brocade method causes less flushing. To flush the MAC addresses from the VLAN FDB, perform the following steps. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the appropriate form of the spanning-tree command based on how you want to flush the address: To flush the MAC address using the standard method: switch(config)#spanning-tree tc-flush-standard To flush the MAC addresses from the VLAN FDB using the Brocade method: switch(config)#no spanning-tree tc-flush-standard Clearing spanning tree counters In privileged EXEC mode, use this command to clear spanning tree counters on all interfaces or on the specified interface. To clear spanning tree counters, perform the following steps from privileged EXEC mode. 1. Use the clear command to clear all spanning tree counters on all interfaces. switch#clear spanning-tree counter 2. Use the clear command to clear the spanning tree counters associated with a specific port-channel or DCB port interface: switch#clear spanning-tree counter interface tengigabitethernet 0/1 Clearing spanning tree-detected protocols In privileged EXEC mode, restart the protocol migration process (force the renegotiation with neighboring switches) on all interfaces or on the specified interface. To restart the protocol migration process, perform the following tasks from privileged EXEC mode. 1. Use the clear command to clear all spanning tree counters on all interfaces: switch#clear spanning-tree detected-protocols 2. Use the clear command to clear the spanning tree counters associated with a specific port-channel or DCB port interface: switch#clear spanning-tree detected-protocols interface tengigabitethernet 0/1 Displaying STP-related information Enter the show spanning tree brief command in privileged EXEC mode to display all STP, RSTP, MSTP, PVST, or Rapid-PVST-related information. Brocade Network OS Administrator s Guide 147

172 14 Configuring STP, RSTP, or MSTP on DCB interface ports Configuring STP, RSTP, or MSTP on DCB interface ports This section details the commands for enabling and configuring STP, RSTP, or MSTP on individual 10-Gigabit Ethernet DCB interface ports. NOTE In VCS mode, all STP options are disabled. Only when the switch is in standalone mode does it support STP, RSTP, MSTP, PVST and rapid PVST on interface ports. Enabling automatic edge detection From the DCB interface, use this command to automatically identify the edge port. The port can become an edge port if no BPDU is received. By default, automatic edge detection is disabled. To enable automatic edge detection on the DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the spanning-tree command to enable automatic edge detection on the DCB interface. switch(conf-if-te-0/1)#spanning-tree autoedge Configuring the path cost From the DCB interface, use this command to configure the path cost for spanning tree calculations. The lower the path cost means there is a greater chance of the interface becoming the root. The range is 1 through The default path cost is To configure the path cost for spanning tree calculations on the DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the spanning-tree command to configure the path cost for spanning tree calculations on the DCB interface. switch(conf-if-te-0/1)#spanning-tree cost cost 5. Return to privileged EXEC mode. switch(conf-if-te-0/1)#end 6. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config 148 Brocade Network OS Administrator s Guide

173 Configuring STP, RSTP, or MSTP on DCB interface ports 14 Enabling a port (interface) as an edge port From the DCB interface, use this command to enable the port as an edge port to allow the port to quickly transition to the forwarding state. To configure a port as an edge port, follow these guidelines: A port can become an edge port if no BPDU is received. When an edge port receives a BPDU, it becomes a normal spanning tree port and is no longer an edge port. Because ports that are directly connected to end stations cannot create bridging loops in the network, edge ports transition directly to the forwarding state and skip the listening and learning states. This command is only for RSTP and MSTP. Use the spanning-tree portfast command for STP (see Enabling port fast (STP) on page 151). To enable the DCB interface as an edge port, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the spanning-tree command to enable the DCB interface as an edge port. switch(conf-if-te-0/1)#spanning-tree edgeport bpdu-filter Enabling the guard root From the DCB interface, use this command to enable the guard root on the switch. The guard root feature provides a way to enforce the root bridge placement in the network. With the guard root enabled on an interface, the switch is able to restrict which interface is allowed to be the spanning tree root port or the path to the root for the switch. The root port provides the best path from the switch to the root switch. By default, guard root is disabled. Guard root protects the root bridge from malicious attacks and unintentional misconfigurations where a bridge device that is not intended to be the root bridge becomes the root bridge. This causes severe bottlenecks in the data path. Guard root ensures that the port on which it is enabled is a designated port. If the guard root-enabled port receives a superior BPDU, it goes to a discarding state. To enable the guard root on a DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the spanning-tree command to enable the guard root on a DCB interface. switch(conf-if-te-0/1)#spanning-tree guard root Brocade Network OS Administrator s Guide 149

174 14 Configuring STP, RSTP, or MSTP on DCB interface ports Specifying the MSTP hello time From the DCB interface, use this command to set the time interval between BPDUs sent by the root switch. Changing the hello-time affects all spanning tree instances. The max-age setting must be greater than the hello-time setting (see Specifying the bridge maximum aging time on page 141). The range is 1 through 10 seconds. The default is 2 seconds. To specify the MSTP hello time on a DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the spanning-tree command to specify the hello time on a DCB interface. switch(conf-if-te-0/1)#spanning-tree hello-time 5 5. Return to privileged EXEC mode. switch(conf-if-te-0/1)#end 6. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Specifying restrictions for an MSTP instance From the DCB interface, use this command to specify restrictions on the interface for an MSTP instance. To specify restrictions for an MSTP instance on a DCB interface, perform the following steps. 1. Enter the configure terminal command to access global configuration mode from privileged EXEC mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the spanning-tree command to specify the restrictions for an MSTP instance on a DCB interface. switch(conf-if-te-0/1)#spanning-tree instance 5 cost 3550 restricted-tcn 5. Return to privileged EXEC mode. switch(conf-if-te-0/1)#end 6. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config 150 Brocade Network OS Administrator s Guide

175 Configuring STP, RSTP, or MSTP on DCB interface ports 14 Specifying a link type From the DCB interface, use this command to specify a link type. Specifying the point-to-point keyword enables rapid spanning tree transitions to the forwarding state. Specifying the shared keyword disables spanning tree rapid transitions. The default setting is point-to-point. To specify a link type on a DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the spanning-tree command to specify the link type on the DCB interface. switch(conf-if-te-0/1)#spanning-tree link-type shared Enabling port fast (STP) From the DCB interface, use this command to enable port fast on an interface to allow the interface to quickly transition to the forwarding state. Port fast immediately puts the interface into the forwarding state without having to wait for the standard forward time. NOTE If you enable the portfast bpdu-guard option on an interface and the interface receives a BPDU, the software disables the interface and puts the interface in the ERR_DISABLE state. Use the spanning-tree edgeport command for MSTP and RSTP (see Enabling a port (interface) as an edge port on page 149). To enable port fast on the DCB interface for STP, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the spanning-tree command to enable port fast on the DCB interface. switch(conf-if-te-0/1)#spanning-tree portfast Specifying the port priority From the DCB interface, use this command to specify the port priority. The range is 0 through 240 in increments of 16. The default is 128. To specify the port priority on the DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 Brocade Network OS Administrator s Guide 151

176 14 Configuring STP, RSTP, or MSTP on DCB interface ports 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the spanning-tree command to specify the port priority on the DCB interface. switch(conf-if-te-0/1)#spanning-tree priority 32 Restricting the port from becoming a root port From the DCB interface, use this command to restrict a port from becoming a root port. The default is to allow the DCB interface to become a root port. To restrict the DCB interface from becoming a root port, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the spanning-tree command to restrict the DCB interface from becoming a root port. switch(conf-if-te-0/1)#spanning-tree restricted-role Restricting the topology change notification From the DCB interface, use this command to restrict the topology change notification BPDUs sent on the interface. By default, the restriction is disabled. To restrict the topology change notification BPDUs sent on the DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the spanning-tree command to restrict the topology change notification BPDUs sent on the DCB interface. switch(conf-if-te-0/1)#spanning-tree restricted-tcn Enabling spanning tree From the DCB interface, use this command to enable spanning tree on the DCB interface. By default, spanning tree is disabled. To enable spanning tree on the DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 152 Brocade Network OS Administrator s Guide

177 Configuring STP, RSTP, or MSTP on DCB interface ports Enter the spanning-tree command to enable spanning tree on the DCB interface. switch(conf-if-te-0/1)#no spanning-tree shutdown Disabling spanning tree From the DCB interface, use this command to disable spanning tree on the DCB interface. By default, spanning tree is disabled. To enable spanning tree on the DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the spanning-tree command to enable spanning tree on the DCB interface. switch(conf-if-te-0/1)#spanning-tree shutdown Brocade Network OS Administrator s Guide 153

178 14 Configuring STP, RSTP, or MSTP on DCB interface ports 154 Brocade Network OS Administrator s Guide

179 Configuring Link Aggregation Chapter 15 In this chapter Link aggregation overview Link aggregation overview Virtual LAG overview LACP configuration guidelines and restrictions Default LACP configuration LACP configuration and management LACP troubleshooting tips Link aggregation allows you to bundle multiple physical Ethernet links to form a single logical trunk providing enhanced performance and redundancy. The aggregated trunk is referred to as a Link Aggregation Group (LAG). The LAG is viewed as a single link by connected devices, the Spanning Tree Protocol, IEEE 802.1Q VLANs, and so on. When one physical link in the LAG fails, the other links stay up and there is no disruption to traffic. To configure links to form a LAG, the physical links must be the same speed and all links must go to the same neighboring device. Link aggregation can be done by manually configuring the LAG or by dynamically configuring the LAG using the IEEE 802.3ad Link Aggregation Control Protocol (LACP). NOTE The LAG or LAG interface is also referred to as a port-channel. The benefits of link aggregation are summarized as follows: Increased bandwidth (The logical bandwidth can be dynamically changed as the demand changes.) Increased availability Load sharing Rapid configuration and reconfiguration The Brocade VDX 6720 hardware supports the following trunk types: Static, standards-based LAG Dynamic, standards-based LAG using LACP Static, Brocade-proprietary LAG Dynamic, Brocade-proprietary LAG using proprietary enhancements to LACP Brocade Network OS Administrator s Guide 155

180 15 Link aggregation overview Link Aggregation Group configuration You can configure a maximum of 24 Link Aggregation Groups (LAGs) with up to 16 links per standard LAG and four links per Brocade-proprietary LAG. Each LAG is associated with an aggregator. The aggregator manages the Ethernet frame collection and distribution functions. On each port, link aggregation control: Maintains configuration information to control port aggregation. Exchanges configuration information with other devices to form LAGs. Attaches ports to and detaches ports from the aggregator when they join or leave a LAG. Enables or disables an aggregator s frame collection and distribution functions. Each link in the Brocade VDX 6720 hardware can be associated with a LAG; a link cannot be associated with more than one LAG. The process of adding and removing links to and from a LAG is controlled statically, dynamically, or through LACP. Each LAG consists of the following components: A MAC address that is different from the MAC addresses of the LAG s individual member links. An interface index for each link to identify the link to neighboring devices. An administrative key for each link. Only links having the same administrative key value can be aggregated into a LAG. On each link configured to use LACP, LACP automatically configures an administrative key value equal to the port-channel identification number. Link Aggregation Control Protocol Link Aggregation Control Protocol (LACP) is an IEEE 802.3ad standards-based protocol that allows two partner systems to dynamically negotiate attributes of physical links between them to form logical trunks. LACP determines whether a link can be aggregated into a LAG. If a link can be aggregated into a LAG, LACP puts the link into the LAG. All links in a LAG inherit the same administrative characteristics. LACP operates in two modes: Passive mode LACP responds to Link Aggregation Control Protocol Data Units (LACPDUs) initiated by its partner system but does not initiate the LACPDU exchange. Active mode LACP initiates the LACPDU exchange regardless of whether the partner system sends LACPDUs. Dynamic link aggregation Dynamic link aggregation uses LACP to negotiate which links can be added and removed from a LAG. Typically, two partner systems sharing multiple physical Ethernet links can aggregate a number of those physical links using LACP. LACP creates a LAG on both partner systems and identifies the LAG by the LAG ID. All links with the same administrative key and all links that are connected to the same partner switch become members of the LAG. LACP continuously exchanges LACPDUs to monitor the health of each member link. Static link aggregation In static link aggregation, links are added into a LAG without exchanging LACPDUs between the partner systems. The distribution and collection of frames on static links is determined by the operational status and administrative state of the link. 156 Brocade Network OS Administrator s Guide

181 Virtual LAG overview 15 Brocade-proprietary aggregation Brocade-proprietary aggregation is similar to standards-based link aggregation but differs in how the traffic is distributed. It also has additional rules that member links must meet before they are aggregated: The most important rule requires that there is not a significant difference in the length of the fiber between the member links, and that all member links are part of the same port-group. The Brocade VDX has two port groups; te0/1 to te0/12 and te0/13 to te0/24. The Brocade VDX has six port groups; te0/1 to te0/10, te0/11 to te0/20, and so on. A maximum of four Brocade LAGs can be created per port-group. LAG distribution process The LAG aggregator is associated with the collection and distribution of Ethernet frames. The collection and distribution process is required to guarantee the following: Inserting and capturing control PDUs. Restricting the traffic of a given conversation to a specific link. Load balancing between individual links. Handling dynamic changes in LAG membership. Virtual LAG overview Configuring a virtual LAG (vlag) is similar to configuring a LAG. Once the VCS fabric detects that the LAG configuration spans multiple switches, the LAG automatically becomes a vlag. LACP on the VCS fabric emulates a single logical switch by sending the same LACP system ID and sending the same admin and openkey. Features of vlag: Only ports with the same speed are aggregated. Brocade proprietary LAGs are not available for vlags. LACP automatically negotiates and forms the vlag. A port-channel interface is created on all the vlag members. The VCS fabric relies on you to consistently configure all nodes in the vlag. Similar to static LAGs, vlags are not able to detect configuration errors. A zero port vlag is allowed. IGMP snooping fits into the primary link of a vlag to carry multicast traffic. Interface statistics are collected and shown per vlag member switch. The statistics are not aggregated across switches participating in a vlag. In order to provide link and node level redundancy, the VCS fabric supports static vlags. A VCS vlag functions with servers that do not implement LACP because it supports static vlags as well. Brocade Network OS Administrator s Guide 157

182 15 Virtual LAG overview Configuring the vlag Perform this procedure on all member nodes of a vlag. To configiure the vlag, perform the following steps in global configuration mode. 1. Configure a LAG between two switches within the VCS fabric. See Link Aggregation Group configuration on page 156 for more information. Once the VCS fabric detects that the LAG configuration spans multiple switches, the LAG automatically becomes a vlag. 2. Configure each VLAG to treat FCoE MAC addresses as being multi-homed hosts, similar to LAN traffic. The default configuration is to treat FCoE traffic as non-vlag traffic. This command must be performed on every port-channel in the vlag. switch(config)#interface port-channel Use the end command to return to privileged EXEC mode. switch(conf-int-po10)#end switch# 4. Use the show command to verify the port channel details. switch#show port-channel detail? Aggregator Po 10 (vlag) Member switches: RBridge id 1 (4) RBrideid 2 (4) Actor System ID -0x8000,01-e Actor System ID Mapped Id: 0 Admin Key: OperKey 0010 Receive link count: 4 -Transmit link count: 4 Individual: 0 -Ready: 1 Partner System ID -0x0001,01-80-c Link: Te 1/0/21 (0x ) sync: 1 Link: Te 1/0/22 (0x ) sync: 1 * Link: Te 1/0/23 (0x ) sync: 1 Link: Te 1/0/24 (0x ) sync: 1 5. Use the show command to verify the port-channel interface details. switch#show port port-channel tengigabitethernet 1/0/21 LACP link info: te0/21-0x Actor System ID: 0x8000,01-e Actor System ID Mapped Id: 0 Partner System ID: 0x0001,01-80-c Actor priority: 0x8000 (32768) Admin key: 0x000a (10) Operkey: 0x0000 (0) Receive machine state : Current Periodic Transmission machine state : Slow periodic Muxmachine state : Collecting/Distr Admin state: ACT:1 TIM:0 AGG:1 SYN:0 COL:0 DIS:0 DEF:1 EXP:0 Operstate: ACT:1 TIM:0 AGG:1 SYN:1 COL:1 DIS:1 DEF:0 EXP:0 Partner operstate: ACT:1 TIM:0 AGG:1 SYN:1 COL:1 DIS:1 DEF:0 EXP:0 Partner operport: Brocade Network OS Administrator s Guide

183 LACP configuration guidelines and restrictions 15 LACP configuration guidelines and restrictions This section applies to standards-based and Brocade-proprietary LAG configurations, except where specifically noted otherwise. Follow these LACP configuration guidelines and restrictions when configuring LACP: All ports on the Brocade VDX 6720 hardware can operate only in full-duplex mode. Brocade-proprietary LAGs only All LAG member links must be part of the same port-group. Switchport interfaces Interfaces configured as switchport interfaces cannot be aggregated into a LAG. However, a LAG can be configured as a switchport. Default LACP configuration Table 16 lists the default LACP configuration. TABLE 16 Parameter Default LACP configuration Default setting System priority Port priority Timeout Long (standard LAG) and short (Brocade LAG) LACP configuration and management NOTE Enter the copy running-config startup-config command to save your configuration. Enabling LACP on a DCB interface To add additional interfaces to an existing LAG, repeat this procedure using the same LAG group number for the new interfaces. To enable LACP on a DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Enter the channel-group command to configure the LACP for the DCB interface. switch(conf-if)#channel-group 4 mode active type brocade Brocade Network OS Administrator s Guide 159

184 15 LACP configuration and management Configuring the LACP system priority You configure an LACP system priority on each switch running LACP. LACP uses the system priority with the switch MAC address to form the system ID and also during negotiation with other switches. The system priority value must be a number in the range of 1 through The higher the number, the lower the priority. The default priority is To configure the global LACP system priority, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Specify the LACP system priority. switch(config)#lacp system-priority Configuring the LACP timeout period on a DCB interface The LACP timeout period indicates how long LACP waits before timing out the neighboring device. The short timeout period is 3 seconds and the long timeout period is 90 seconds. The default is long. To configure the LACP timeout period on a DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the no shutdown command to enable the DCB interface. 4. Specify the LACP timeout period for the DCB interface. switch(conf-if-te-0/1)#lacp timeout short Clearing LACP counter statistics on a LAG To clear LACP counter statistics, enter the clear command to clear the LACP counter statistics for the specified LAG group number. Example of clearing LACP counters for a specific LAG. switch#clear lacp 42 counters Clearing LACP counter statistics on all LAG groups To clear LACP counter statisticsenter the clear command to clear the LACP counter statistics for all LAG groups. Example of clearing LACP counters. switch#clear lacp counters 160 Brocade Network OS Administrator s Guide

185 LACP troubleshooting tips 15 Displaying LACP information Use the show command to display LACP statistics and configuration information. See the Network Operating System Command Reference for information. LACP troubleshooting tips To troubleshoot problems with your LACP configuration, use the following troubleshooting tips. If a standard IEEE 802.3ad-based dynamic trunk is configured on a link and the link is not able to join the LAG: Make sure that both ends of the link are configured as standard for the trunk type. Make sure that both ends of the link are not configured for passive mode. They must be configured as active/active, active/passive, or passive/active. Make sure that the port-channel interface is in the administrative up state by ensuring that the no shutdown command was entered on the interface on both ends of the link. Make sure that the links that are part of the LAG are connected to the same neighboring switch. Make sure that the system ID of the switches connected by the link is unique. This can be verified by entering the show lacp sys-id command on both switches. Make sure that LACPDUs are being received and transmitted on both ends of the link and that there are no error PDUs. This can be verified by entering the show lacp counters number command and looking at the receive mode (rx) and transmit mode (tx) statistics. The statistics should be incrementing and should not be at zero or a fixed value. If the PDU rx count is not incrementing, check the interface for possible CRC errors by entering the show interface link-name command on the neighboring switch. If the PDU tx count is not incrementing, check the operational status of the link by entering the show interface link-name command and verifying that the interface status is up. If a Brocade-based dynamic trunk is configured on a link and the link is not able to join the LAG: Make sure that both ends of the link are configured as Brocade for trunk type. Make sure that both ends of the link are not configured for passive mode. They must be configured as active/active, active/passive, or passive/active. Make sure that the port-channel interface is in the administrative up state by ensuring that the no shutdown command was entered on the interface on both ends of the link. Make sure that the links that are part of the LAG are connected to the same neighboring switch. Make sure that the system ID of the switches connected by the link is unique. This can be verified by entering the show lacp sys-id command on both switches. Make sure that LACPDUs are being received and transmitted on both ends of the link and there are no error PDUs. This can be verified by entering the show lacp counters number command and looking at the rx and tx statistics. The statistics should be incrementing and should not be at zero or a fixed value. If the PDU rx count is not incrementing, check the interface for possible CRC errors by entering the show interface link-name command on the neighboring switch. Brocade Network OS Administrator s Guide 161

186 15 LACP troubleshooting tips Make sure that the fiber length of the link has a deskew value of 7 microseconds. If it does not, the link will not be able to join the LAG and the following RASLOG message is generated: Deskew calculation failed for link <link-name>. When a link has this problem, the show port-channel command displays the following message: Mux machine state : Deskew not OK. If a Brocade-based static trunk is configured on a link and the link is not able to join the LAG: Make sure that both ends of the link are configured as Brocade for trunk type and verify that the mode is on. Make sure that the port-channel interface is in the administrative up state by ensuring that the no shutdown command was entered on the interface on both ends of the link. If a standards-based static trunk is configured on a link and the link is not able to join the LAG: Make sure that both ends of the link are configured as standard for trunk type and verify that the mode is on. Make sure that the port-channel interface is in the administrative up state by ensuring that the no shutdown command was entered on the interface on both ends of the link. 162 Brocade Network OS Administrator s Guide

187 Configuring LLDP Chapter 16 In this chapter LLDP overview Layer 2 topology mapping DCBX overview DCBX interaction with other vendor devices LLDP configuration guidelines and restrictions Default LLDP configuration LLDP configuration and management LLDP overview The IEEE 802.1AB Link Layer Discovery Protocol (LLDP) enhances the ability of network management tools to discover and maintain accurate network topologies and simplify LAN troubleshooting in multi-vendor environments. To efficiently and effectively operate the various devices in a LAN you must ensure the correct and valid configuration of the protocols and applications that are enabled on these devices. With Layer 2 networks expanding dramatically, it is difficult for a network administrator to statically monitor and configure each device in the network. Using LLDP, network devices such as routers and switches advertise information about themselves to other network devices and store the information they discover. Details such as device configuration, device capabilities, and device identification are advertised. LLDP defines the following: A common set of advertisement messages. A protocol for transmitting the advertisements. A method for storing the information contained in received advertisements. NOTE LLDP runs over the data-link layer which allows two devices running different network layer protocols to learn about each other. LLDP information is transmitted periodically and stored for a finite period. Every time a device receives an LLDP advertisement frame, it stores the information and initializes a timer. If the timer reaches the time to live (TTL) value, the LLDP device deletes the stored information ensuring that only valid and current LLDP information is stored in network devices and is available to network management systems. Brocade Network OS Administrator s Guide 163

188 16 Layer 2 topology mapping Layer 2 topology mapping The LLDP protocol lets network management systems accurately discover and model Layer 2 network topologies. As LLDP devices transmit and receive advertisements, the devices store information they discover about their neighbors. Advertisement data such as a neighbor's management address, device type, and port identification is useful in determining what neighboring devices are in the network. NOTE Brocade s LLDP implementation supports a one-to-one connection. Each interface has one and only one neighbor. The higher level management tools, such as Brocade s DCFM, can query the LLDP information to draw Layer 2 physical topologies. The management tools can continue to query a neighboring device through the device s management address provided in the LLDP information exchange. As this process is repeated, the complete Layer 2 topology is mapped. In LLDP the link discovery is achieved through the exchange of link-level information between two link partners. The link-level information is refreshed periodically to reflect any dynamic changes in link-level parameters. The basic format for exchanging information in LLDP is in the form of a type, length, value (TLV) field. LLDP keeps a database for both local and remote configurations. The LLDP standard currently supports three categories of TLVs. Brocade s LLDP implementation adds a proprietary Brocade extension TLV set. The four TLV sets are described as follows: Basic management TLV set. This set provides information to map the Layer 2 topology and includes the following TLVs: - Chassis ID TLV Provides the ID for the switch or router where the port resides. This is a mandatory TLV. - Port description TLV Provides a description of the port in an alphanumeric format. If the LAN device supports RFC-2863, the port description TLV value equals the ifdescr object. This is a mandatory TLV. - System name TLV Provides the system-assigned name in an alphanumeric format. If the LAN device supports RFC-3418, the system name TLV value equals the sysname object. This is an optional TLV. - System description TLV Provides a description of the network entity in an alphanumeric format. This includes system name, hardware version, operating system, and supported networking software. If the LAN device supports RFC-3418, the value equals the sysdescr object. This is an optional TLV. - System capabilities TLV Indicates the primary functions of the device and whether these functions are enabled in the device. The capabilities are indicated by two octets. The first octet indicates Other, Repeater, Bridge, WLAN AP, Router, Telephone, DOCSIS cable device, and Station, respectively. The second octet is reserved. This is an optional TLV. - Management address TLV Indicates the addresses of the local switch. Remote switches can use this address to obtain information related to the local switch. This is an optional TLV. 164 Brocade Network OS Administrator s Guide

189 DCBX overview 16 DCBX overview IEEE organizational TLV set. This set provides information to detect mismatched settings between local and remote devices. A trap or event can be reported once a mismatch is detected. This is an optional TLV. This set includes the following TLVs: - Port VLANID TLV Indicates the port VLAN ID (PVID) that is associated with an untagged or priority tagged data frame received on the VLAN port. - PPVLAN ID TLV Indicates the port- and protocol--based VLAN ID (PPVID) that is associated with an untagged or priority tagged data frame received on the VLAN port. The TLV supports a flags field that indicates whether the port is capable of supporting port- and protocol-based VLANs (PPVLANs) and whether one or more PPVLANs are enabled. The number of PPVLAN ID TLVs in a Link Layer Discovery Protocol Data Unit (LLDPDU) corresponds to the number of the PPVLANs enabled on the port. - VLAN name TLV Indicates the assigned name of any VLAN on the device. If the LAN device supports RFC-2674, the value equals the dot1qvlanstaticname object. The number of VLAN name TLVs in an LLDPDU corresponds to the number of VLANs enabled on the port. - Protocol identity TLV Indicates the set of protocols that are accessible at the device's port. The protocol identity field in the TLV contains a number of octets after the Layer 2 address that can enable the receiving device to recognize the protocol. For example, a device that wishes to advertise the spanning tree protocol includes at least eight octets: length (two octets), LLC addresses (two octets), control (one octet), protocol ID (two octets), and the protocol version (one octet). IEEE organizational TLV set. This is an optional TLV set. This set includes the following TLVs: - MAC/PHY configuration/status TLV Indicates duplex and bit rate capabilities and the current duplex and bit rate settings of the local interface. It also indicates whether the current settings were configured through auto-negotiation or through manual configuration. - Power through media dependent interface (MDI) TLV Indicates the power capabilities of the LAN device. - Link aggregation TLV Indicates whether the link (associated with the port on which the LLDPDU is transmitted) can be aggregated. It also indicates whether the link is currently aggregated and provides the aggregated port identifier if the link is aggregated. - Maximum Ethernet frame size TLV Indicates the maximum frame size capability of the device s MAC and PHY implementation. Storage traffic requires a lossless communication which is provided by DCB. The Data Center Bridging (DCB) Capability Exchange Protocol (DCBX) is used to exchange DCB-related parameters with neighbors to achieve more efficient scheduling and a priority-based flow control for link traffic. DCBX uses LLDP to exchange parameters between two link peers; DCBX is built on the LLDP infrastructure for the exchange of information. DCBX-exchanged parameters are packaged into organizationally specific TLVs. The DCBX protocol requires an acknowledgement from the other side of the link, therefore LLDP is turned on in both transmit and receive directions. DCBX requires version number checking for both control TLVs and feature TLVs. Brocade Network OS Administrator s Guide 165

190 16 DCBX overview DCBX interacts with other protocols and features as follows: LLDP LLDP is run in parallel with other Layer 2 protocols such as RSTP and LACP. DCBX is built on the LLDP infrastructure to communicate capabilities supported between link partners. The DCBX protocol and feature TLVs are treated as a superset of the LLDP standard. QoS management DCBX capabilities exchanged with a link partner are passed down to the QoS management entity to set up the Brocade VDX 6720 hardware to control the scheduling and priority-based flow control in the hardware. The DCBX QoS standard is subdivided into two features sets: Enhanced Transmission Selection Priority Flow Control Enhanced Transmission Selection In a converged network, different traffic types affect the network bandwidth differently. The purpose of Enhanced Transmission Selection (ETS) is to allocate bandwidth based on the different priority settings of the converged traffic. For example, Inter-process communications (IPC) traffic can use as much bandwidth as needed and there is no bandwidth check; LAN and SAN traffic share the remaining bandwidth. Table 17 displays three traffic groups: IPC, LAN, and SAN. ETS allocates the bandwidth based on traffic type and also assigns a priority to the three traffic types as follows: Priority 7 traffic is mapped to priority group 0 which does not get a bandwidth check, priority 2 and priority 3 are mapped to priority group 1, priorities 6, 5, 4, 1 and 0 are mapped to priority group 2. The priority settings shown in Table 17 are translated to priority groups in the Brocade VDX 6720 hardware. TABLE 17 ETS priority grouping of IPC, LAN, and SAN traffic Priority Priority group Bandwidth check 7 0 No 6 2 Yes 5 2 Yes 4 2 Yes 3 1 Yes 2 1 Yes 1 2 Yes 0 2 Yes Priority Flow Control With Priority Flow Control (PFC), it is important to provide lossless frame delivery for certain traffic classes while maintaining existing LAN behavior for other traffic classes on the converged link. This differs from the traditional PAUSE type of flow control where the pause affects all traffic on an interface. PFC is defined by a one-byte bitmap. Each bit position stands for a user priority. If a bit is set, the flow control is enabled in both directions (Rx and Tx). 166 Brocade Network OS Administrator s Guide

191 DCBX interaction with other vendor devices 16 DCBX interaction with other vendor devices When the Brocade VDX 6720 hardware interacts with other vendor devices, the other vendor devices might not have support for the same DCBX version as the Brocade VDX 6720 hardware. The Brocade VDX 6720 hardware supports two DCBX versions: CEE version (1.0.1) Based on the DCB standard. Pre-CEE version. To accommodate the different DCBX versions, the Brocade VDX 6720 hardware provides the following options. Auto-sense (plug and play) This is the default. The Brocade VDX 6720 hardware detects the version used by the link neighbor and automatically switches between the CEE version and the pre-cee version. CEE version Forces the use of the CEE version for the link (auto-sense is off). Pre-CEE version Forces the use of the pre-cee version for the link (auto-sense is off). LLDP configuration guidelines and restrictions Follow these LLDP configuration guidelines and restrictions when configuring LLDP: Brocade s implementation of LLDP supports Brocade-specific TLV exchange in addition to the standard LLDP information. Mandatory TLVs are always advertised. The exchange of LLDP link-level parameters is transparent to the other Layer 2 protocols. The LLDP link-level parameters are reported by LLDP to other interested protocols. NOTE DCBX configuration simply involves configuring DCBX-related TLVs to be advertised. Detailed information is provided in the LLDP configuration and management on page 168. Default LLDP configuration Table 18 lists the default LLDP configuration. TABLE 18 Parameter Default LLDP configuration Default setting LLDP global state LLDP receive LLDP transmit Transmission frequency of LLDP updates Enabled Enabled Enabled 30 seconds Brocade Network OS Administrator s Guide 167

192 16 LLDP configuration and management TABLE 18 Parameter Default LLDP configuration (Continued) Default setting Hold time for receiving devices before discarding DCBX-related TLVs to be advertised 120 seconds dcbx-tlv LLDP configuration and management NOTE Enter the copy running-config startup-config command to save your configuration changes. Enabling LLDP globally The protocol lldp command enables LLDP globally on all interfaces unless it has been specifically disabled on an interface. LLDP is globally enabled by default. To enable LLDP globally, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter LLDP configuration mode. switch(config)#protocol lldp Disabling and resetting LLDP globally The protocol lldp command returns all configuration settings made using the protocol lldp commands to their default settings. LLDP is globally enabled by default. To disable and reset LLDP globally, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Disable LLDP globally. switch(config)#no protocol lldp Configuring LLDP global command options After entering the protocol lldp command from global configuration mode, you are in LLDP configuration mode which is designated with the switch(conf-lldp)# prompt. Using the keywords in this mode, you can set non-default parameter values that apply globally to all interfaces. Specifying a system name for the Brocade VDX 6720 hardware The global system name for LLDP is useful for differentiating between switches. By default, the host-name from the chassis/entity MIB is used. By specifying a descriptive system name, you will find it easier to configure the switch for LLDP. 168 Brocade Network OS Administrator s Guide

193 LLDP configuration and management 16 To specify a global system name for the Brocade VDX 6720 hardware, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter LLDP configuration mode. switch(config)#protocol lldp 3. Specify an LLDP system name for the DCB switch. switch(conf-lldp)#system-name Brocade_Alpha Brocade_Alpha(conf-lldp)# Specifying an LLDP system description for the Brocade VDX 6720 hardware NOTE Brocade recommends you use the operating system version for the description or use the description from the chassis/entity MIB. To specify an LLDP system description for the Brocade VDX 6720 hardware, perform the following steps from privileged EXEC mode. The system description is seen by neighboring switches. 1. Enter the configure terminal command to access global configuration mode. 2. Enter LLDP configuration mode. switch(config)#protocol lldp 3. Specify a system description for the Brocade VDX 6720 hardware. switch(conf-lldp)#system-description IT_1.6.2_LLDP_01 Specifying a user description for LLDP To specify a user description for LLDP, perform the following steps from privileged EXEC mode. This description is for network administrative purposes and is not seen by neighboring switches. 1. Enter the configure terminal command to access global configuration mode. 2. Enter LLDP configuration mode. switch(config)#protocol lldp 3. Specify a user description for LLDP. switch(conf-lldp)#description Brocade-LLDP-installed-july-25 Enabling and disabling the receiving and transmitting of LLDP frames By default both transmit and receive for LLDP frames is enabled. To enable or disable the receiving (rx) and transmitting (tx) of LLDP frames, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the mode command to: Enable only receiving of LLDP frames: switch(conf-lldp)#mode rx Enable only transmitting of LLDP frames: switch(conf-lldp)#mode tx Brocade Network OS Administrator s Guide 169

194 16 LLDP configuration and management Disable all LLDP frame transmissions switch(conf-lldp)#mode no mode Configuring the transmit frequency of LLDP frames To configure the transmit frequency of LLDP frames, perform the following steps from privileged EXEC mode.the default is 30 seconds. 1. Enter the configure terminal command to access global configuration mode. 2. Enter LLDP configuration mode. switch(config)#protocol lldp 3. Configure the transmit frequency of LLDP frames. switch(conf-lldp)#hello 45 Configuring the hold time for receiving devices To configure the hold time for receiving devices, perform the following steps from privileged EXEC mode. This configures the number of consecutive LLDP hello packets that can be missed before declaring the neighbor information as invalid. The default is Enter the configure terminal command to access global configuration mode. 2. Enter LLDP configuration mode. switch(config)#protocol lldp 3. Configure the hold time for receiving devices. switch(conf-lldp)#multiplier 6 Advertising the optional LLDP TLVs NOTE If the advertise optional-tlv command is entered without keywords, all optional LLDP TLVs are advertised. To advertise the optional LLDP TLVs, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter LLDP configuration mode. switch(config)#protocol lldp 3. Advertise the optional LLDP TLVs. switch(conf-lldp)#advertise optional-tlv management-address port-description system-capabilities system-name system-description Configuring the advertisement of LLDP DCBX-related TLVs NOTE By default, the dcbx-tlv is advertised; the dot1-tlv, dot3-tlv, dcbx-fcoe-app-tlv, and dcbx-fcoe-logical-link-tlv are not advertised. 170 Brocade Network OS Administrator s Guide

195 LLDP configuration and management 16 To configure the LLDP DCBX-related TLVs to be advertised, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter LLDP configuration mode. switch(config)#protocol lldp 3. Advertise the LLDP DCBX-related TLVs using these commands: switch(conf-lldp)#advertise dcbx-fcoe-app-tlv switch(conf-lldp)#advertise dcbx-fcoe-logical-link-tlv switch(conf-lldp)#advertise dcbx-tlv switch(conf-lldp)#advertise dot1-tlv switch(conf-lldp)#advertise dot3-tlv Configuring iscsi priority The iscsi priority setting is used to configure the priority that will be advertised in the DCBx iscsi TLV. The iscsi TLV is used only to advertise the iscsi traffic configuration parameters to the attached CEE enabled servers and targets. No verification or enforcement of the usage of the advertised parameters by the iscsi server or target is done by the switch. To configure the iscsi priority, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter LLDP configuration mode. switch(config)#protocol lldp 3. Configure the iscsi priority. switch(conf-lldp)#lldp iscsi-priority 4 4. Advertise the TLV. switch (conf-lldp)#advertise dcbx-isci-app-tlv Configuring LLDP profiles You can configure up to 64 profiles on a switch. Using the no profile NAME command deletes the entire profile. To configure LLDP profiles, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter LLDP configuration mode. switch(config)#protocol lldp 3. Configure the profile name. switch(conf-lldp)#profile UK_LLDP_IT 4. Specify a description for the profile. switch(conf-lldp-profile-uk_lldp_it)#description standard_profile_by_jane Brocade Network OS Administrator s Guide 171

196 16 LLDP configuration and management 5. Enable the transmitting and receiving of LLDP frames. switch(conf-lldp-profile-uk_lldp_it)#mode tx rx 6. Configure the transmission frequency of LLDP updates. switch(conf-lldp-profile-uk_lldp_it)#hello Configure the hold time for receiving devices. switch(conf-lldp-profile-uk_lldp_it)#multiplier 2 8. Advertise the optional LLDP TLVs. switch(conf-lldp)#advertise optional-tlv management-address port-description system-capabilities system-name system-description 9. Advertise the LLDP DCBX-related TLVs. switch(conf-lldp-profile-uk_lldp_it)#advertise dot1-tlv switch(conf-lldp-profile-uk_lldp_it)#advertise dot3-tlv switch(conf-lldp-profile-uk_lldp_it)#advertise advertise dcbx-tlv switch(conf-lldp-profile-uk_lldp_it)#advertise dcbx-fcoe-logical-link-tlv switch(conf-lldp-profile-uk_lldp_it)#advertise dcbx-fcoe-app-tlv switch(conf-lldp-profile-uk_lldp_it)#advertise dcbx-iscsi-app-tlv NOTE Brocade recommends against advertising dot1.tlv and dot3.tlv LLDPs if your network contains CNAs from non-brocade vendors,. This configuration may cause functionality problems. 10. Return to privileged EXEC mode. switch(conf-lldp-profile-uk_lldp_it)#end 11. Enter the copy command to save the running-config file to the startup-config file. switch(conf-lldp-profile-uk_lldp_it)#end switch#copy running-config startup-config Configuring the iscsi profile You can configure an iscsi profile to be applied to individual interfaces. However, the priority bit must be set manually for each interface. Using the no profile name command deletes the entire profile. To configure iscsi profiles, perform the following steps from privileged EXEC mode. 1. Configure the cee-map, if it has not already been created. switch(config)#cee-map switch(conf-ceemap)#priority-group-table 1 weight 50 switch(conf-ceemap)#priority-group-table 2 weight 30 pfc on switch(conf-ceemap)#priority-group-table 3 weight 20 pfc on switch(conf-ceemap)#priority-table Enter LLDP configuration mode. switch(conf-ceemap)#protocol lldp 3. Create an LLDP profile for iscsi. switch(conf-lldp)#profile iscsi_config 4. Advertise the iscsi TLV. switch(conf-lldp-profile-iscsi_config)#advertise dcbx-iscsi-app-tlv 172 Brocade Network OS Administrator s Guide

197 LLDP configuration and management Enter configuration mode for the specific interface. switch (conf-lldp-profile-iscsi_config)#interface te 0/1 6. Apply the CEE Provisioning map to the interface. switch(conf-if-te-0/1)#cee default 7. Apply the LLDP profile you created for iscsi. switch(conf-if-te-0/1)#lldp profile iscsi_config 8. Set the iscsi priority bits for the interface. switch(conf-if-te-0/1)#lldp iscsi-priority-bits 4 9. Repeat steps 5 through 7 for additional interfaces. switch(conf-if-te-0/1)#interface te 0/7 switch(conf-if-te-0/7)#cee default switch(conf-if-te-0/7)#lldp profile iscsi_config switch(conf-if-te-0/7)#lldp iscsi-priority-bits 5 Configuring LLDP interface-level command options Only one LLDP profile can be assigned to an interface. If you do not use the lldp profile option at the interface level, the global configuration is used on the interface. If there are no global configuration values defined, the global default values are used. To configure LLDP interface-level command options, perform the following steps from privileged EXEC mode. 1. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/10 2. Apply an LLDP profile to the interface. switch(conf-if-te-0/10)#lldp profile network_standard 3. Configure the DCBX version for an interface for DCB. For detailed information on these version command keywords, see DCBX interaction with other vendor devices on page 167. The default is to automatically detect the DCBX version. switch(conf-if-te-0/10)#lldp version cee 4. Return to privileged EXEC mode. switch(conf-if-te-0/10)#end 5. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Clearing LLDP-related information To clear LLDP-related information, perform the following steps from privileged EXEC mode. 1. Use the clear command to clear LLDP neighbor information. switch#clear lldp neighbors tengigabitethernet 0/1 2. Use the clear command to clear LLDP statistics. switch#clear lldp statistics tengigabitethernet 0/1 Brocade Network OS Administrator s Guide 173

198 16 LLDP configuration and management Displaying LLDP-related information To display LLDP-related information, perform the following steps from privileged EXEC mode. 1. Use the show lldp command to display LLDP general information. switch#show lldp 2. Use the show lldp command to display LLDP interface-related information. switch#show lldp interface tengigabitethernet 0/1 3. Use the show lldp command to display LLDP neighbor-related information. switch#show lldp neighbors interface tengigabitethernet 0/1 detail 174 Brocade Network OS Administrator s Guide

199 Configuring ACLs Chapter 17 In this chapter ACL overview Default ACL configuration ACL configuration guidelines and restrictions ACL configuration and management ACL overview NOTE In the Brocade Network OS v2.0.0 release, only Layer 2 MAC access control lists (ACLs) are supported. ACLs filter traffic for the Brocade VDX 6720 hardware and permit or deny incoming frames from passing through interfaces that have the ACLs applied to them. You can apply ACLs on VLANs and on Layer 2 interfaces. Each ACL is a unique collection of permit and deny statements (rules) that apply to frames. When a frame is received on an interface, the switch compares the fields in the frame against any ACLs applied to the interface to verify that the frame has the required permissions to be forwarded. The switch compares the frame, sequentially, against each rule in the ACL and either forwards the frame or drops the frame. The switch examines ACLs associated with options configured on a given interface. As frames enter the switch on an interface, ACLs associated with all inbound options configured on that interface are examined. With MAC ACLs you can identify and filter traffic based on the MAC address, and EtherType. The primary benefits of ACLs are as follows: Provide a measure of security. Save network resources by reducing traffic. Block unwanted traffic or users. Reduce the chance of denial of service (DOS) attacks. There are two types of MAC ACLs: Standard ACLs Permit and deny traffic according to the source MAC address in the incoming frame. Use standard MAC ACLs if you only need to filter traffic based on source addresses. Extended ACLs Permit and deny traffic according to the source and destination MAC addresses in the incoming frame, as well as EtherType. Brocade Network OS Administrator s Guide 175

200 17 Default ACL configuration MAC ACLs are supported on the following interface types: Physical interfaces Logical interfaces (LAGs) VLANs Default ACL configuration Table 19 lists the default ACL configuration. TABLE 19 Parameter MAC ACLs Default MAC ACL configuration Default setting By default, no MAC ACLs are configured. ACL configuration guidelines and restrictions Follow these ACL configuration guidelines and restrictions when configuring ACLs: The order of the rules in an ACL is critical. The first rule that matches the traffic stops further processing of the frames. Standard ACLs and extended ACLs cannot have the same name. ACL configuration and management NOTE Enter the copy running-config startup-config command to save your configuration changes. Creating a standard MAC ACL and adding rules NOTE You can use the resequence command to change all the sequence numbers assigned to the rules in a MAC ACL. For detailed information, see Reordering the sequence numbers in a MAC ACL on page 178. To create a standard MAC ACL and add rules, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Create a standard MAC ACL and enter ACL configuration mode. In this example, the name of the standard MAC ACL is test_01. switch(config)#mac access-list standard test_01 switch(conf-macl-std)# 176 Brocade Network OS Administrator s Guide

201 ACL configuration and management Enter the deny command to create a rule in the MAC ACL to drop traffic with the source MAC address. switch(conf-macl-std)#deny count 4. Enter the permit command to create a rule in the MAC ACL to permit traffic with the source MAC address. switch(conf-macl-std)#permit count 5. Use the seq command to create MAC ACL rules in a specific sequence. switch(conf-macl-std)#seq 100 deny count switch(conf-macl-std)#seq 1000 permit count Creating an extended MAC ACL and adding rules NOTE You can use the resequence command to change all the sequence numbers assigned to the rules in a MAC ACL. For detailed information, see Reordering the sequence numbers in a MAC ACL on page 178. The MAC ACL name length is limited to 64 characters. To create an extended MAC ACL and add rules, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Create an extended MAC ACL and enter ACL configuration mode. switch(config)#mac access-list extended test_02 3. Create a rule in the MAC ACL to permit traffic with the source MAC address and the destination MAC address. switch(conf-macl-ext)#permit Use the seq command to insert the rule anywhere in the MAC ACL. switch(conf-macl-std)#seq 5 permit Return to privileged EXEC mode. 6. switch(conf-macl-std)#end 7. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Modifying MAC ACL rules You cannot modify the existing rules of a MAC ACL. However, you can remove the rule and then recreate it with the desired changes. If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers. For detailed information, see Reordering the sequence numbers in a MAC ACL on page 178. Use a sequence number to specify the rule you wish to modify. Without a sequence number, a new rule is added to the end of the list, and the existing rule is unchanged. Brocade Network OS Administrator s Guide 177

202 17 ACL configuration and management NOTE Using the permit and deny keywords, you can create many different rules. The examples in this section provide the basic knowledge needed to modify MAC ACLs. NOTE This example assumes that test_02 contains an existing rule number 100 with the deny any any options. To modify a MAC ACL, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the mac command to specify the ACL called test_02 for modification. switch(config)#mac access-list extended test_02 3. Enter the no seq command to delete the existing rule 100. switch (config)#no seq Enter the seq command to re create rule number 100 by recreating it with new parameters. switch(conf-macl-ext)#seq 100 permit any any Removing a MAC ACL To remove a MAC ACL, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the mac command to specify and delete the ACL that you want to remove. In this example, the extended MAC ACL name is test_02. switch(config)#no mac access-list extended test_02 Reordering the sequence numbers in a MAC ACL You can reorder the sequence numbers assigned to rules in a MAC ACL. Reordering the sequence numbers is useful when you need to insert rules into an ACL and there are not enough available sequence numbers. The first rule receives the number specified by the starting-sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment number that you specify. The starting-sequence number and the increment number must be in the range of 1 through For example, in the task listed below the resequence command assigns a sequence number of 50 to the rule named test_02, then the second rule has a sequence number of 55 and the third rule a has a sequence number of 60. switch#resequence access-list mac test_ Brocade Network OS Administrator s Guide

203 ACL configuration and management 17 Applying a MAC ACL to a DCB interface Ensure that the ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this DCB interface. An ACL does not take effect until it is expressly applied to an interface using the access-group command. Frames can be filtered as they enter an interface (ingress direction). To apply a MAC ACL to a DCB interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to specify the DCB interface type and slot/port number. switch(config)#interface tengigabitethernet 0/1 3. Enter the switchport command to configure the interface as a Layer 2 switch port. 4. Enter the mac-access-group command to specify the MAC ACL that is to be applied to the Layer 2 DCB interface in the ingress direction. switch(conf-if-te-0/1)#mac access-group test_02 in Applying a MAC ACL to a VLAN interface Ensure that the ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this VLAN interface. An ACL does not take effect until it is expressly applied to an interface using the access-group command. Frames can be filtered as they enter an interface (ingress direction). To apply a MAC ACL to a VLAN interface, perform the following steps from privileged EXEC mode. 1. Enter the configure terminal command to access global configuration mode. 2. Enter the interface command to apply the VLAN interface to the MAC ACL. switch(config)#interface vlan Enter the mac-access-group command to specify the MAC ACL that is to be applied to the VLAN interface in the ingress direction. switch(conf-if-vl-82)# mac access-group test_02 in Brocade Network OS Administrator s Guide 179

204 17 ACL configuration and management 180 Brocade Network OS Administrator s Guide

205 Configuring QoS Chapter 18 In this chapter Standalone QoS Rewriting Queueing Congestion control Multicast rate limiting Scheduling Data Center Bridging map configuration VCS fabric QoS Standalone QoS Standalone Quality of Service (QoS) provides you with the capability to control how the traffic is moved from switch to switch. In a network that has different types of traffic with different needs (also known as CoS), the goal of QoS is to provide each traffic type with a virtual pipe. FCoE uses traffic class mapping, scheduling, and flow control to provide quality of service. Traffic running through the switches can be classified as either multicast traffic or unicast traffic. Multicast traffic has a single source but multiple destinations. Unicast traffic has a single source with a single destination. With all this traffic going through inbound and outbound ports, QoS can be set based on egress port and priority level of the CoS. QoS can also be set on interfaces where the end-station knows how to mark traffic with QoS and it lies with the same trusted interfaces. An untrusted interface is when the end-station is untrusted and is at the administrative boundaries. The QoS features are: Rewriting Rewriting or marking a frame allows for overriding header fields such as the priority and VLAN ID. Queueing Queueing provides temporary storage for frames while waiting for transmission. Queues are selected based on ingress ports, egress ports, and configured user priority level. Congestion control When queues begin filling up and all buffering is exhausted, frames are dropped. This has a detrimental effect on application throughput. Congestion control techniques are used to reduce the risk of queue overruns without adversely affecting network throughput. Congestion control features include IEEE 802.3x Ethernet Pause, Tail Drop, and Ethernet Priority Flow Control (PFC). Multicast rate limiting Many multicast applications cannot be adapted for congestion control techniques and the replication of frames by switching devices can exacerbate this problem. Multicast rate limiting controls frame replication to minimize the impact of multicast traffic. Brocade Network OS Administrator s Guide 181

206 18 Rewriting Data Center Bridging DCB describes an enhanced Ethernet that will enable convergence of various applications in data centers (LAN, SAN, and IPC) onto a single interconnect technology. Rewriting Rewriting a frame header field is typically performed by an edge device. Rewriting occurs on frames as they enter or exit a network because the neighboring device is untrusted, unable to mark the frame, or is using a different QoS mapping. The frame rewriting rules set the Ethernet CoS and VLAN ID fields. Egress Ethernet CoS rewriting is based on the user-priority mapping derived for each frame as described later in the queueing section. Queueing Queue selection begins by mapping an incoming frame to a configured user priority, then each user-priority mapping is assigned to one of the switch s eight unicast traffic class queues or one of the eight multicast traffic class queues. User-priority mapping There are several ways an incoming frame can be mapped into a user-priority. If the neighboring devices are untrusted or unable to properly set QoS, then the interface is considered untrusted. All traffic must be user-priority mapped using explicit policies for the interface to be trusted; if it is not mapped in this way, the ieee 802.1Q default-priority mapping is used. If an interface is trusted to have QoS set then the CoS header field can be interpreted. In standalone mode: All incoming priority 7 tagged packets are counted in queue 7 (TC7). Untagged control frames are counted in queue 7 (TC7). NOTE The user priority mapping described in this section applies to both unicast and multicast traffic. Default user-priority mappings for untrusted interfaces When Layer 2 QoS trust is set to untrusted then the default is to map all Layer 2 switched traffic to the port default user priority value of 0 (best effort), unless configured to a different value. Table 20 presents the Layer 2 QoS untrusted user priority generation table. TABLE 20 Incoming CoS Default priority value of untrusted interfaces User Priority 0 port <user priority> (default 0) 1 port <user priority> (default 0) 2 port <user priority> (default 0) 3 port <user priority> (default 0) 182 Brocade Network OS Administrator s Guide

207 Queueing 18 TABLE 20 Incoming CoS Default priority value of untrusted interfaces (Continued) User Priority 4 port <user priority> (default 0) 5 port <user priority> (default 0) 6 port <user priority> (default 0) 7 port <user priority> (default 0) NOTE Non-tagged Ethernet frames are interpreted as incoming CoS value of 0 (zero). You can override the default user-priority mapping by applying explicit user-priority mappings. When neighboring devices are trusted and able to properly set QoS then Layer 2 QoS trust can be set to CoS and the IEEE 802.1Q default-priority mapping is applied. Table 21 presents the Layer 2 CoS user priority generation table conforming to 802.1Q default mapping. You can override this default user priority table per port if you want to change (mutate) the CoS value. TABLE 21 IEEE 802.1Q default priority mapping Incoming CoS User Priority Configuring the QoS trust mode The QoS trust mode controls user priority mapping of incoming traffic. The Class of Service (CoS) mode sets the user priority based on the incoming CoS value. If the incoming packet is not priority tagged, then fallback is to the Interface Default CoS value. NOTE When a CEE map is applied on an interface, the qos trust command is not allowed. The CEE map always puts the interface in the CoS trust mode. Perform the following steps from privileged EXEC mode to configure the QoS trust mode. 1. Enter global configuration mode. switch#configure terminal 2. Specify the 10-gigabit Ethernet interface. switch(config)#interface tengigabitethernet 0/2 Brocade Network OS Administrator s Guide 183

208 18 Queueing 3. Set the interface mode to trust. switch(conf-if-te-0/2)#qos trust cos 4. Return to privileged EXEC mode. switch(conf-if-te-0/2)#end 5. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Configuring user-priority mappings Perform the following steps from privileged EXEC mode to configure user-priority mappings. 1. Enter global configuration mode. switch#configure terminal 2. Specify the 10-gigabit Ethernet interface. switch(config)#interface tengigabitethernet 0/2 3. Set the interface mode to 3. switch(conf-if-te-0/2)#qos cos 3 4. Return to privileged EXEC mode. switch(conf-if-te-0/2)#end 5. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Creating a CoS-to-CoS mutation QoS map Perform the following steps from privileged EXEC mode to create a CoS-to-CoS mutation. 1. Enter global configuration mode. switch#configure terminal 2. Create the CoS-to-CoS mutation QoS map name. In this example test is used. switch(config)#qos map cos-mutation test 3. Return to privileged EXEC mode. switch(conf-if-te-0/2)#end 4. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Applying a CoS-to-CoS mutation QoS map Perform the following steps from privileged EXEC mode to apply a CoS-to-CoS mutation QoS map. 1. Enter global configuration mode. switch#configure terminal 2. Specify the 10-gigabit Ethernet interface. switch(config)#interface tengigabitethernet 0/2 184 Brocade Network OS Administrator s Guide

209 Queueing Activate or apply changes made to the CoS-to-CoS mutation QoS map name. In this example test is used. switch(conf-if-te-0/2)#qos map cos-mutation test Specify the trust mode for incoming traffic. Use this command to specify the interface ingress QoS trust mode, which controls user priority mapping of incoming traffic. The untrusted mode overrides all incoming priority markings with the Interface Default CoS. The CoS mode sets the user priority based on the incoming CoS value, if the incoming packet is not priority tagged, then fallback is to the Interface Default CoS value. switch(conf-if-te-0/2)#qos trust cos 5. Return to privileged EXEC mode. switch(conf-if-te-0/2)#end 6. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Traffic class mapping The Brocade switch supports eight unicast traffic classes for isolation and to control servicing for different priorities of application data. Traffic classes are numbered from 0 through 7, with higher values designating higher priority. The traffic class mapping stage provides some flexibility in queue selection: The mapping may be many-to-one, such as mapping one byte user priority (256 values) to eight traffic classes. There may be a non-linear ordering between the user priorities and traffic classes. Unicast traffic Table 22 presents the Layer 2 default traffic class mapping supported for a CoS-based user priority to conform to 802.1Q default mapping. TABLE 22 User priority Default user priority for unicast traffic class mapping Traffic class You are allowed to override these default traffic class mappings per port. Once the traffic class mapping has been resolved it is applied consistently across any queueing incurred on the ingress and the egress ports. Brocade Network OS Administrator s Guide 185

210 18 Queueing Multicast traffic The Brocade switch supports eight multicast traffic classes for isolation and to control servicing for different priorities of application data. Traffic classes are numbered from 0 through 7, with higher values designating higher priority. The traffic class mapping stage provides some flexibility in queue selection. Table 23 presents the Layer 2 default traffic class mapping supported for a CoS-based user priority to conform to 802.1Q default mapping. TABLE 23 User Priority Default user priority for multicast traffic class mapping Traffic class Once the traffic class mapping has been resolved for ingress traffic, it is applied consistently across all queueing incurred on the ingress and egress ports. Mapping CoS-to-Traffic-Class Perform the following steps from privileged EXEC mode to map a CoS-to-Traffic-Class. 1. Enter global configuration mode. switch#configure terminal 2. Create the CoS-Traffic-Class mapping by specifying a name and the mapping. switch(config)#qos map cos-traffic-class test Return to privileged EXEC mode. switch(config)#end 4. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Activating a mapping CoS-to-Traffic-Class Perform the following steps from privileged EXEC mode to activate a CoS-to-traffic class mapping. 1. Enter global configuration mode. switch#configure terminal 2. Specify the 10-gigabit Ethernet interface. switch(config)#interface tengigabitethernet 0/2 186 Brocade Network OS Administrator s Guide

211 Congestion control 18 Congestion control 3. Activate the CoS-to-Traffic-Class mapping by name. switch(conf-if-te-0/2)#qos cos-traffic-class test 4. Return to privileged EXEC mode. switch(conf-if-te-0/2)#end 5. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Verifying a mapping CoS-to-Traffic-Class Perform the following steps from privileged EXEC mode to verify a CoS-to-Traffic-Class mapping. 1. Enter global configuration mode. switch#configure terminal 2. Verify the CoS-Traffic-Class mapping specifying a name and the mapping. switch(config)#show qos map cos-traffic-class test 3. Return to privileged EXEC mode. switch(config)#end 4. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Queues can begin filling up due to a number of reasons, such as over subscription of a link or backpressure from a downstream device. Sustained, large queue buildups generally indicate congestion in the network and can affect application performance through increased queueing delays and frame loss. Congestion control covers features that define how the system responds when congestion occurs or active measures taken to prevent the network from entering a congested state. Tail drop Tail drop queueing is the most basic form of congestion control. Frames are queued in FIFO order and queue buildup can continue until all buffer memory is exhausted. This is the default behavior when no additional QoS has been configured. The basic tail drop algorithm does not have any knowledge of multiple priorities and per traffic class drop thresholds can be associated with a queue to address this. When the queue depth breaches a threshold, then any frame arriving with the associated priority value will be dropped. Figure 13 describes how you can utilize this feature to ensure that lower priority traffic cannot Brocade Network OS Administrator s Guide 187

212 18 Congestion control totally consume the full buffer memory. Thresholds can also be used to bound the maximum queueing delay for each traffic class. Additionally if the sum of the thresholds for a port is set below 100 percent of the buffer memory, then you can also ensure that a single port does not monopolize the entire shared memory pool. FIGURE 13 Queue depth The tail drop algorithm can be extended to support per priority drop thresholds. When the ingress port CoS queue depth breaches a threshold, then any frame arriving with the associated priority value will be dropped. Figure 13 describes how you can utilize this feature to ensure lower priority traffic cannot totally consume the full buffer memory. Thresholds can also be used to bound the maximum queueing delay for each traffic class. Additionally if the sum of the thresholds for a port is set below 100 percent of the buffer memory then you can also ensure that a single CoS does not monopolize the entire shared memory pool allocated to the port. Changing the Tail Drop threshold Perform the following steps from privileged EXEC mode to change the Tail Drop threshold. 1. Enter global configuration mode. switch#configure terminal 2. Change the Tail Drop threshold for each multicast traffic class. In this example, 1000pkt is used. switch(config)#qos rcv-queue multicast threshold Return to privileged EXEC mode. switch(config)#end 4. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config 188 Brocade Network OS Administrator s Guide

213 Congestion control 18 Ethernet pause Ethernet Pause is an IEEE standard mechanism for back pressuring a neighboring device. Pause messages are sent by utilizing the optional MAC control sublayer. A Pause frame contains a 2-byte pause number, which states the length of the pause in units of 512 bit times. When a device receives a Pause frame, it must stop sending any data on the interface for the specified length of time, once it completes transmission of any frame in progress. You can use this feature to reduce Ethernet frame losses by using a standardized mechanism. However the Pause mechanism does not have the ability to selectively back pressure data sources multiple hops away, or exert any control per VLAN or per priority, so it is disruptive to all traffic on the link. Ethernet Pause includes the following features: All configuration parameters can be specified independently per interface. Pause On/Off can be specified independently for TX and RX directions. No support is provided for auto-negotiation. Pause generation is based on input (receive) queueing. Queue levels are tracked per input port. You can change the high-water and low-water threshold for each input port. When the instantaneous queue depth crosses the high-water mark then a Pause is generated. If any additional frames are received and the queue length is still above the low-water mark then additional Pauses are generated. Once the queue length drops below the low-water mark then Pause generation ceases. A Pause that is received and processed halts transmission of the output queues associated with the port for the duration specified in the Pause frame. Enabling Ethernet Pause Perform the following steps from privileged EXEC mode to enable Ethernet Pause. 1. Enter global configuration mode. switch#configure terminal 2. Specify the 10-gigabit Ethernet interface. switch(config)#interface tengigabitethernet 0/2 3. Enable Ethernet Pause on the interface for both TX and RX traffic. switch(conf-if-te-0/2)#qos flowcontrol tx on rx on 4. Return to privileged EXEC mode. switch(conf-if-te-0/2)#end 5. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Ethernet Priority Flow Control Ethernet Priority Flow Control (PFC) is a basic extension of the Ethernet Pause. The Pause MAC control message is extended with eight 2-byte pause numbers and a bitmask to indicate which values are valid. Each pause number is interpreted identically to the base Pause protocol; however each is applied to the corresponding Ethernet priority / class level. For example, the Pause number zero applies to priority zero, Pause number one applies to priority one, and so on. This addresses one shortcoming of the Ethernet Pause mechanism, which is disruptive to all traffic on the link. However, it still suffers from the other Ethernet Pause limitations. Brocade Network OS Administrator s Guide 189

214 18 Multicast rate limiting Ethernet Priority Flow Control includes the following features: Everything operates exactly as in Ethernet Pause described above except there are eight high-water and low-water thresholds for each input port. This means queue levels are tracked per input port plus priority. Pause On/Off can be specified independently for TX and RX directions per priority. Pause time programmed into Ethernet MAC is a single value covering all priorities. Both ends of a link must be configured identically for Ethernet Pause or Ethernet Priority Flow Control because they are incompatible. Enabling an Ethernet PFC Perform the following steps from privileged EXEC mode to enable Ethernet PFC. 1. Enter global configuration mode. switch#configure terminal 2. Specify the 10-gigabit Ethernet interface. switch(config)#interface tengigabitethernet 0/2 3. Enable an Ethernet PFC on the interface. switch(conf-if-te-0/2)#qos flowcontrol pfc 3 tx on rx on 4. Return to privileged EXEC mode. switch(conf-if-te-0/2)#end 5. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Multicast rate limiting Multicast rate limiting provides a mechanism to control multicast frame replication and cap the effect of multicast traffic. Multicast rate limit is applied to the output of each multicast receive queue. Rate limits apply equally to ingress receive queueing (first level expansion) and egress receive queueing (second level expansion) since the same physical receive queues are utilized. You can set policies to limit the maximum multicast frame rate differently for each traffic class level and cap the total multicast egress rate out of the system. Multicast rate limiting includes the following features: All configuration parameters are applied globally. Multicast rate limits are applied to multicast receive queues as frame replications are placed into the multicast expansion queues. The same physical queues are used for both ingress receive queues and egress receive queues so rate limits are applied to both ingress and egress queueing. Four explicit multicast rate limit values are supported, one for each traffic class. The rate limit values represent the maximum multicast expansion rate in packets per second (PPS). 190 Brocade Network OS Administrator s Guide

215 Scheduling 18 Creating a receive queue multicast rate-limit Perform the following steps from privileged EXEC mode to create the receive queue multicast rate-limit. 1. Enter global configuration mode. switch#configure terminal 2. Create a lower maximum multicast frame expansion rate. In this example, the rate is to PPS. switch(config)#qos rcv-queue multicast rate-limit Return to privileged EXEC mode. switch(config)#end 4. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Scheduling Scheduling arbitrates among multiple queues waiting to transmit a frame. The Brocade switch supports both Strict Priority (SP) and Deficit Weighted Round Robin (DWRR) scheduling algorithms. Also supported is the flexible selection of the number of traffic classes using SP-to-DWRR. When there are multiple queues for the same traffic class, then scheduling takes these equal priority queues into consideration. Strict priority scheduling Strict priority scheduling is used to facilitate support for latency-sensitive traffic. A strict priority scheduler drains all frames queued in the highest priority queue before continuing on to service lower priority traffic classes. A danger with this type of service is that a queue can potentially starve out lower priority traffic classes. Figure 14 describes the frame scheduling order for an SP scheduler servicing two SP queues. The higher numbered queue, SP2, has a higher priority. FIGURE 14 Strict priority schedule two queues Deficit weighted round robin scheduling Weighted Round Robin (WRR) scheduling is used to facilitate controlled sharing of the network bandwidth. WRR assigns a weight to each queue; that value is then used to determine the amount of bandwidth allocated to the queue. The round robin aspect of the scheduling allows each queue to be serviced in a set ordering, sending a limited amount of data before moving onto the next queue and cycling back to the highest priority queue after the lowest priority is serviced. Brocade Network OS Administrator s Guide 191

216 18 Scheduling Figure 15 describes the frame scheduling order for a WRR scheduler servicing two WRR queues. The higher numbered queue is considered higher priority (WRR2) and the weights indicate the network bandwidth should be allocated in a 2:1 ratio between the two queues. In Figure 15 WRR2 should receive 66 percent of bandwidth and WRR1 receives 33 percent. The WRR scheduler tracks the extra bandwidth used and subtracts it from the bandwidth allocation for the next cycle through the queues. In this way, the bandwidth utilization statistically matches the queue weights over longer time periods. FIGURE 15 WRR schedule two queues Deficit Weighted Round Robin (DWRR) is an improved version of WRR. DWRR remembers the excess used when a queue goes over its bandwidth allocation and reduces the queue's bandwidth allocation in the subsequent rounds. This way the actual bandwidth usage is closer to the defined level when compared to WRR. Traffic class scheduling policy The traffic classes are numbered from 0 to 7; higher numbered traffic classes are considered higher priority. The Brocade switch provides full flexibility in controlling the number of SP-to-WRR queues. The number of SP queues is specified in N (SP1 through 8), then the highest priority traffic classes are configured for SP service and the remaining eight are WRR serviced. Table 24 describes the set of scheduling configurations supported. When you configure the QoS queue to use strict priority 4 (SP4), then traffic class 7 will use SP4, traffic class 6 will use SP3, and so on down the list. You use the strict priority mappings to control how the different traffic classes will be routed in the queue. TABLE 24 Supported scheduling configurations Traffic Class SP0 SP1 SP2 SP3 SP4 SP5 SP6 SP8 7 WRR8 SP1 SP2 SP3 SP4 SP5 SP6 SP8 6 WRR7 WRR7 SP1 SP2 SP3 SP4 SP5 SP7 5 WRR6 WRR6 WRR6 SP1 SP2 SP3 SP4 SP6 4 WRR5 WRR5 WRR5 WRR5 SP1 SP2 SP3 SP5 3 WRR4 WRR4 WRR4 WRR4 WRR4 SP1 SP2 SP4 2 WRR3 WRR3 WRR3 WRR3 WRR3 WRR3 SP1 SP3 1 WRR2 WRR2 WRR2 WRR2 WRR2 WRR2 WRR2 SP2 0 WRR1 WRR1 WRR1 WRR1 WRR1 WRR1 WRR1 SP1 192 Brocade Network OS Administrator s Guide

217 Scheduling 18 Figure 16 shows that extending the frame scheduler to a hybrid SP+WRR system is fairly straightforward. All SP queues are considered strictly higher priority than WRR so they are serviced first. Once all SP queues are drained, then the normal WRR scheduling behavior is applied to the non-empty WRR queues. FIGURE 16 Strict priority and Weighted Round Robin scheduler Scheduling the QoS queue Perform the following steps from privileged EXEC mode specify the schedule to use. 1. Enter global configuration mode. switch#configure terminal 2. Specify the schedule to use and the traffic class to bandwidth mapping. switch(config)#qos queue scheduler strict-priority 4 dwrr Return to privileged EXEC mode. switch(config)#end 4. Enter the copy command to save the running-config file to the startup-config file. switch#copy running-config startup-config Multicast queue scheduling The multicast traffic classes are numbered from 0 to 7; higher numbered traffic classes are considered higher priority. A fixed mapping from multicast traffic class to equivalent unicast traffic class is applied to select the queue scheduling behavior. Once the multicast traffic class equivalence mapping has been applied, then scheduling and any scheduler configuration are inherited from the equivalent unicast traffic class. See Table 24 on page 192 for details on exact mapping equivalencies. Unicast ingress and egress queueing utilizes a hybrid scheduler that simultaneously supports SP+WRR service and multiple physical queues with the same service level. Multicast adds additional multicast expansion queues. Since multicast traffic classes are equivalent to unicast service levels, they're treated exactly as their equivalent unicast service policies. Scheduling the QoS multicast queue Perform the following steps from privileged EXEC mode to schedule the QoS multicast queue. 1. Enter global configuration mode. switch#configure terminal Brocade Network OS Administrator s Guide 193